Find sigma rule

Attack: System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

MITRE

Tactic

discovery

technique

T1016

Test : List Open Egress Ports

OS

windows

Description:

This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/

Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.

Executor

powershell

Sigma Rule

proc_creation_win_powershell_reverse_shell_connection.yml (id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)
net_connection_win_susp_outbound_kerberos_connection.yml (id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74)
net_connection_win_rdp_outbound_over_non_standard_tools.yml (id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test