Find sigma rule

Attack: System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

MITRE

Tactic

discovery

technique

T1016

Test : System Network Configuration Discovery on Windows

OS

windows

Description:

Identify network configuration information

Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.

Executor

command_prompt

Sigma Rule

proc_creation_win_susp_network_command.yml (id: a29c1813-ab1f-4dde-b489-330b952e91ae)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test