EXPLORE
← Back to Explore
jamf_protectinformationalTTP

Nmap Scan Activity

This detection functions by monitoring for process activity using the nmap binary to process arguments containing "-sS -sV -Pn {IPRANGE} -p {PORTS}".

Detection Query

$event.type == 1 AND $event.process.path.lastPathComponent == "nmap" AND $event.process.commandLine MATCHES ".*nmap\\s+(?:-[sSVPn]{0,2}\\s+){0,3}?(?:\\d{1,3}\\.){3}?\\d{1,3}\\/\\d{1,2}\\s\\-p\\s(?:\\d+(?:\\,\\d+)*)?"

Author

Jamf

Data Sources

Process EventsmacOS Endpoint Security

Platforms

macos

Tags

VisibilityDiscovery
Raw Content
---
name: NmapScanActivity
uuid: e707c00f-7d3b-45d1-a4ca-16d03b9af404
longDescription: This detection functions by monitoring for process activity using the nmap binary to process arguments containing "-sS -sV -Pn {IPRANGE} -p {PORTS}".
level: 0
inputType: GPProcessEvent
tags:
snapshotFiles: []
filter: $event.type == 1 AND
  $event.process.path.lastPathComponent == "nmap" AND
  $event.process.commandLine MATCHES ".*nmap\\s+(?:-[sSVPn]{0,2}\\s+){0,3}?(?:\\d{1,3}\\.){3}?\\d{1,3}\\/\\d{1,2}\\s\\-p\\s(?:\\d+(?:\\,\\d+)*)?"
actions:
  - name: Log
context: []
categories:
  - Visibility
version: 1
severity: Informational
shortDescription: The nmap binary has been lauched for scanning IP ranges on an endpoint.
label: Nmap Scan Activity
remediation: null
MitreCategories:
  - Discovery