-
Notifications
You must be signed in to change notification settings - Fork 456
Expand file tree
/
Copy pathmacos_system_network_configuration_discovery.yml
More file actions
65 lines (65 loc) · 4.22 KB
/
macos_system_network_configuration_discovery.yml
File metadata and controls
65 lines (65 loc) · 4.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: MacOS System Network Configuration Discovery
id: 66945806-0891-4055-952f-ea11b7bc54dd
version: 1
date: '2025-09-08'
author: Jamie Windley
status: production
type: Anomaly
description: This analytic detects the execution of common network configuration discovery commands on macOS systems. Specifically, it focuses on instances of `netstat -ant`, `arp -a`, and `ifconfig`. These utilities are often used for legitimate troubleshooting, but they are also frequently leveraged by adversaries during the reconnaissance phase to enumerate network interfaces, identify active connections, and discover other hosts within the same broadcast domain. Monitoring for the use of these commands, particularly when executed by unexpected users or during unusual time periods, can provide early warning of potentially malicious activity.
data_source:
- osquery
search: "| tstats `security_content_summariesonly` values(Processes.process) as process\
\ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\
\ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\
\ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\
\ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\
\ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\
\ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\
\ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\
\ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\
| `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`"
how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp.
known_false_positives: These commands are commonly executed by system administrators, help desk personnel, monitoring agents, and diagnostic scripts as part of routine system maintenance. Security tools and network monitoring utilities may also invoke these commands for inventory or health check purposes. To reduce false positives, consider excluding events originating from trusted management hosts, known administrative accounts, or processes executed on a predictable schedule.
references: []
drilldown_searches:
- name: View the detection results for - "$user$" and "$dest$"
search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
"$dest$") starthoursago=168 | stats count min(_time)
as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: MacOS system network configuration discovery command observed
risk_objects:
- field: dest
type: system
score: 6
- field: user
type: user
score: 6
threat_objects: []
tags:
analytic_story:
- Network Discovery
asset_type: Endpoint
mitre_attack_id:
- T1016
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
cve: []
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log
sourcetype: osquery:results
source: local_vm