MacOS Network Service Scanning

level
status test

Detects enumeration of local or remote network services.

Known false-positives

  • Legitimate administration activities

References

Raw rule (edit)

title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
author: Alejandro Ortuno, oscd.community
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
date: 2020/10/21
modified: 2021/11/27
logsource:
  category: process_creation
  product: macos
detection:
  selection_1:
    Image|endswith:
      - '/nc'
      - '/netcat'
  selection_2:
    Image|endswith:
      - '/nmap'
      - '/telnet'
  filter:
    CommandLine|contains: 'l'
  condition: (selection_1 and not filter) or selection_2
falsepositives:
  - Legitimate administration activities
level: low
tags:
  - attack.discovery
  - attack.t1046

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.