From 204b7637a4a0719db6b7416ae00e0228289d8baf Mon Sep 17 00:00:00 2001
From: hartescout <hartescout@protonmail.com>
Date: Tue, 19 Oct 2021 12:23:53 -0700
Subject: [PATCH 1/3] Proposed T1046 NetworkServicesScanning

---
 .../T1046_NetworkServicesScanning.xml           | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml

diff --git a/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml b/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml
new file mode 100644
index 0000000..ebd665e
--- /dev/null
+++ b/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml
@@ -0,0 +1,17 @@
+<Sysmon schemaversion="4.81">
+  <EventFiltering>
+    <RuleGroup name="" groupRelation="or">
+      <NetworkConnect onmatch="include">
+        <Rule name="TechniqueID=T1046,TechniqueName=Network Services Scanning" groupRelation="or">
+          <Image condition="end with">/netcat</Image>
+          <Image condition="end with">/ncl</Image>
+          <Image condition="end with">/telnet</Image>
+          <Image condition="end with">/nmap</Image>
+          <Image condition="end with">/curl</Image>
+          <Image condition="end with">/wget</Image>
+          <CommandLine condition="contains">l</CommandLine>
+        </Rule>
+      </NetworkConnect>
+    </RuleGroup>
+  </EventFiltering>
+</Sysmon>
\ No newline at end of file

From 73d9dc49b0b7d3738d02b1f58767bef0d76bd3b2 Mon Sep 17 00:00:00 2001
From: ark <hartescout@protonmail.com>
Date: Tue, 19 Oct 2021 17:22:44 -0700
Subject: [PATCH 2/3] Update T1046_NetworkServicesScanning.xml

---
 .../3_NetworkConnect/T1046_NetworkServicesScanning.xml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml b/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml
index ebd665e..ef231a4 100644
--- a/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml
+++ b/linux/configs/_events/3_NetworkConnect/T1046_NetworkServicesScanning.xml
@@ -4,7 +4,7 @@
       <NetworkConnect onmatch="include">
         <Rule name="TechniqueID=T1046,TechniqueName=Network Services Scanning" groupRelation="or">
           <Image condition="end with">/netcat</Image>
-          <Image condition="end with">/ncl</Image>
+          <Image condition="end with">/nc</Image>
           <Image condition="end with">/telnet</Image>
           <Image condition="end with">/nmap</Image>
           <Image condition="end with">/curl</Image>
@@ -14,4 +14,4 @@
       </NetworkConnect>
     </RuleGroup>
   </EventFiltering>
-</Sysmon>
\ No newline at end of file
+</Sysmon>

From a553a5e57488e2978732bb48e8ae74f7cb94d31d Mon Sep 17 00:00:00 2001
From: hartescout <hartescout@protonmail.com>
Date: Wed, 20 Oct 2021 21:40:49 -0700
Subject: [PATCH 3/3] what

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index dfcfd56..8730c0b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -220,6 +220,7 @@ _pkginfo.txt
 !?*.[Cc]ache/
 
 # Others
+ark_unCat/
 ClientBin/
 ~$*
 *~