Find sigma rule
Attack: System Network Configuration Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route
, show ip interface
).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
MITRE
Tactic
- discovery
technique
- T1016
Test : Adfind - Enumerate Active Directory Subnet Objects
OS
- windows
Description:
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Executor
command_prompt
Sigma Rule
- proc_creation_win_pua_adfind_susp_usage.yml (id: 9a132afa-654e-11eb-ae93-0242ac130002)