Proposed T1046 NetworkServicesScanning

[hartescout]

Looking to add some rules. Apologies if not correct.

[ghost]

All CLA requirements met.

[hartescout]

Looking at the repo again it looks like I missed the appropriate folder for this rule. Apologies. Should I close and resubmit?

[Cyb3rWard0g]

Hello @hartescout ! Thank you for taking the time to contribute and share your ideas! There is not a right way to do all this. We are also learning as we go . If you can please simply move the file to the right folder and push the commit to your fork, then this PR will update.

Feedback:

• Also, I was looking at the rule, and I would like to get more details on CommandLine l rule. The rule you are creating is of NetworkConnect and it does not have a CommandLine field. Did you mean ProcessCreate?
• If you meant to use NetworkConnect as the rule type, maybe we can add some direction to it. Outbound connection and initiated by the process too.
• Are there any other rules where we are tagging throse processes too? If so, then one of the tags will apply to the event when generated. It is fine, but just to be aware.

Let me know what you think 👍🏾

[hartescout]

Hello @hartescout ! Thank you for taking the time to contribute and share your ideas! There is not a right way to do all this. We are also learning as we go . If you can please simply move the file to the right folder and push the commit to your fork, then this PR will update.

Feedback:

* Also, I was looking at the rule, and I would like to get more details on `CommandLine` `l` rule. The rule you are creating is of `NetworkConnect` and it does not have a CommandLine field. Did you mean `ProcessCreate`?

* If you meant to use `NetworkConnect` as the rule type, maybe we can add some direction to it. Outbound connection and initiated by the process too.

* Are there any other rules where we are tagging throse processes too? If so, then one of the tags will apply to the event when generated. It is fine, but just to be aware.

Let me know what you think 👍🏾

Wow yeah it looks like I pushed the rule for PR before I saved changes. I added the l in there based off a Sigma rule I was looking at, l is for listen flag if used. Will take a look again tonight. What I set out to do today was convert as many "baseline/basic" coverage rules MSTIC hasn't been able to get to yet. Mostly for my practice, but hopefully it can help out as well.

* If you meant to use `NetworkConnect` as the rule type, maybe we can add some direction to it. Outbound connection and initiated by the process too.

* Are there any other rules where we are tagging throse processes too? If so, then one of the tags will apply to the event when generated. It is fine, but just to be aware.

You are right, I need to look into what difference ProcessCreate or NetworkConnect would make with that rule, and direction would be key as well. Thank you for all the feedback!