Find sigma rule
Attack: System Network Configuration Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route
, show ip interface
).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
MITRE
Tactic
- discovery
technique
- T1016
Test : List macOS Firewall Rules
OS
- macos
Description:
“This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using defaults
, additional arguments can be added to see filtered details, such as globalstate
for global configuration ("Is it on or off?"), firewall
for common application allow rules, and explicitauths
for specific rules configured by the user.
Using socketfilterfw
, flags such as –getglobalstate or –listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
Executor
bash