back

Find sigma rule

Attack: Network Service Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

MITRE

Tactic

• discovery

technique

• T1046

Test : WinPwn - bluekeep

OS

• windows

Description:

Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).

Executor

powershell

Sigma Rule

• proc_creation_win_powershell_susp_download_patterns.yml (id: e6c54d94-498c-4562-a37c-b469d8e9a275)

• proc_creation_win_powershell_download_iex.yml (id: 85b0b087-eddf-4a2b-b033-d771fa2b9775)

• proc_creation_win_powershell_download_patterns.yml (id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7)

• proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)

• proc_creation_win_powershell_download_cradles.yml (id: 6e897651-f157-4d8f-aaeb-df8151488385)

• posh_ps_susp_invocation_specific.yml (id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71)

• posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)

• posh_pm_susp_invocation_specific.yml (id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090)

• posh_ps_detect_vm_env.yml (id: d93129cd-1ee0-479f-bc03-ca6f129882e3)

• posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)

• posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)

• posh_ps_susp_download.yml (id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb)

• posh_ps_susp_get_current_user.yml (id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a)

• posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)

• posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)

• posh_ps_susp_getprocess_lsass.yml (id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb)

• posh_ps_nishang_malicious_commandlets.yml (id: f772cee9-b7c2-4cb2-8f07-49870adc02e0)

• posh_ps_susp_get_process.yml (id: af4c87ce-bdda-4215-b998-15220772e993)

• file_event_win_powershell_exploit_scripts.yml (id: f331aa1f-8c53-4fc3-b083-cc159bc971cb)

• posh_ps_susp_local_group_reco.yml (id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb)

• posh_ps_localuser.yml (id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c)

• posh_ps_automated_collection.yml (id: c1dda054-d638-4c16-afc8-53e007f3fbc5)

• posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)

• posh_ps_dump_password_windows_credential_manager.yml (id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc)

• posh_ps_susp_extracting.yml (id: bd5971a7-626d-46ab-8176-ed643f694f68)

• posh_ps_timestomp.yml (id: c6438007-e081-42ce-9483-b067fbef33c3)

• posh_ps_directoryservices_accountmanagement.yml (id: b29a93fb-087c-4b5b-a84d-ee3309e69d08)

• posh_ps_request_kerberos_ticket.yml (id: a861d835-af37-4930-bcd6-5b178bfb54df)

• posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)

• net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

• net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)

• file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)

• proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)

• posh_pm_bad_opsec_artifacts.yml (id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86)

• posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)

back