detection.wiki

ATT&CK coverage › Technique

Network Service Discovery T1046

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.

Events covered

12 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Sysmon11FileCreate
Security-Auditing4688A new process has been created.
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 13 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image7ends_with 4, match 3\winPEASx86_ofs.exe, \winPEASany_ofs.exe, \winPEASx86.exe, \advanced_ip_scanner, \advanced_port_scanner
CommandLine5match 5, ends_with 1/lng, /portable, https://github.com/carlospolop/PEASS-ng/releases/latest/download/, eventsinfo, servicesinfo
OriginalFileName4eq 2, match 2winPEAS.exe, advanced_ip_scanner, advanced_port_scanner, nmap.exe, zennmap.exe
Description3match 2, eq 1Advanced IP Scanner, Advanced Port Scanner, Application for scanning networks
NetworkDirection1eq 1Inbound
AttemptedPortsCount1gt 1PortScanThreshold
TargetFilename1match 1\AppData\Local\Temp\Advanced IP Scanner 2
ParentCommandLine1ends_with 1 -linpeas
ScriptBlockText1match 1WinPwn , WinPwn.exe, WinPwn.ps1
Hashes1match 1IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C, IMPHASH=0D1F896DC7642AD8384F9042F30279C2, IMPHASH=B1B6ADACB172795480179EFD18A29549
Product1eq 1Network Scanner
src_ip1eq 1127.0.0.1
Initiated1eq 1true
ParentImage1eq 1C:\ProgramData\Anaconda3\Scripts\conda.exe, C:\ProgramData\Anaconda3\python.exe
dest_ip1eq 1127.0.0.1

Top indicator values (60 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
CommandLinematch/portable22
CommandLinematch/lng22
NetworkDirectioneqInbound1
AttemptedPortsCountgtPortScanThreshold1
TargetFilenamematch\AppData\Local\Temp\Advanced IP Scanner 21
CommandLinematch browserinfo1
Imageends_with\winPEASx86_ofs.exe12
CommandLinematch applicationsinfo1
CommandLinematch eventsinfo1
Imageends_with\winPEASany_ofs.exe12
Imageends_with\winPEASx64.exe12
CommandLinematch filesinfo1
CommandLinematch processinfo1
CommandLineends_with -linpeas1
OriginalFileNameeqwinPEAS.exe1
Imageends_with\winPEASx86.exe12
ParentCommandLineends_with -linpeas1
CommandLinematch fileanalysis1
CommandLinematch servicesinfo1
CommandLinematch windowscreds1

Common exclusions (2 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
src_ipin::11
src_ipin127.0.0.11

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 10 rules

Kusto Query Language 3 rules