Find sigma rule
Attack: System Network Configuration Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route
, show ip interface
).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
MITRE
Tactic
- discovery
technique
- T1016
Test : Qakbot Recon
OS
- windows
Description:
A list of commands known to be performed by Qakbot for recon purposes
Executor
command_prompt
Sigma Rule
-
proc_creation_win_net_view_share_and_sessions_enum.yml (id: 62510e69-616b-4078-b371-847da438cc03)
-
proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)
-
proc_creation_win_net_use_network_connections_discovery.yml (id: 1c67a717-32ba-409b-a45d-0fb704a73a81)