Linux System Network Discovery via Multiple Utilities
Adversaries may attempt to enumerate local network configurations on Linux systems using common utilities like arp, ifconfig, ip, netstat, firewall-cmd, ufw, iptables, ss, and route to gather information for reconnaissance and subsequent attacks, leading to network mapping and vulnerability identification.
This detection focuses on identifying potential network reconnaissance activity on Linux systems. It monitors for the execution of multiple common network utilities within a short timeframe, specifically processes like "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," and "route." This behavior, when observed in rapid succession, is indicative of an attacker attempting to map the network, identify potential targets, and gather information for lateral movement or further exploitation. This type of activity is a common precursor to more significant attacks such as data exfiltration or ransomware deployment. The detection leverages process monitoring logs and aggregates process execution events within a 30-minute window.
Attack Chain
- Initial Access: An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using stolen credentials.
- Privilege Escalation (Optional): If necessary, the attacker escalates privileges to gain root or administrator access.
- Network Enumeration: The attacker executes a series of network enumeration commands using utilities like
ip addr,ifconfig, andnetstatto discover network interfaces, IP addresses, and routing information. - Firewall Discovery: The attacker uses
firewall-cmd,iptables, orufwto identify firewall rules and configurations, potentially seeking weaknesses or misconfigurations. - ARP Table Examination: The attacker uses the
arpcommand to map IP addresses to MAC addresses on the local network segment. - Port Scanning (Optional): The attacker may use
ssornetstatto identify open ports and services running on the local machine or other systems on the network. - Route Table Examination: The attacker uses the
routecommand to understand network routing configurations and identify potential paths for lateral movement. - Lateral Movement/Further Exploitation: Using the gathered network information, the attacker plans and executes further exploitation, lateral movement, or data exfiltration.
Impact
Successful network discovery allows attackers to map the network, identify vulnerable systems, and plan further attacks. This can lead to data breaches, system compromise, and disruption of services. While this detection itself does not indicate a breach, it is a strong indicator of reconnaissance activity preceding a more significant attack. Compromised systems could be leveraged for lateral movement, data exfiltration, or deployment of ransomware, impacting potentially hundreds or thousands of systems, depending on the size of the network.
Recommendation
- Deploy the Sigma rule
Detect Multiple Network Discovery Toolsto your SIEM and tune it for your environment. - Enable Sysmon for Linux Event ID 1 or equivalent process execution logging to provide the data source for the Sigma rule.
- Investigate any alerts generated by the Sigma rule, focusing on the user accounts and processes involved in the network discovery activity.
- Review firewall configurations and network segmentation policies to limit the potential impact of lateral movement.
- Implement the provided RBA (Risk Based Alerting) configuration in your Splunk environment to prioritize and score incidents based on the involved assets and users.
Detection coverage 2
Detect Multiple Network Discovery Tools
mediumDetects the execution of multiple network discovery tools within a 30-minute timeframe on a Linux system, indicative of reconnaissance activity.
Detect Network Configuration Changes via Firewall-cmd
lowDetects attempts to modify firewall configurations using firewall-cmd on Linux systems.
Detection queries are available on the platform. Get full rules →