This note documents detection patterns related to Linux Network Reconnaissance on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`ip a`	Interface enumeration	High	Very common first foothold command.
Shell history	`ifconfig`	Legacy interface enumeration	High	Still common operator habit.
Shell history	`ip route`	Routing discovery	Critical	Immediate network awareness.
Shell history	`route -n`	Legacy routing table	High	Common legacy usage.
Shell history	`arp -a`	Neighbor discovery	Critical	Local network target discovery.
Shell history	`ss -tulpn`	Listening sockets discovery	Critical	Service awareness.
Shell history	`netstat -tulpn`	Legacy socket discovery	Critical	Strong host recon signal.
Shell history	`hostname -I`	Host IP discovery	High	Quick context check.
Shell history	`ping`	Reachability testing	High	Simple target probing.
Shell history	`nc -zv`	Port probing	Critical	Lightweight scanning.
Shell history	`nmap`	Full network scan	Critical	Strong recon indicator.
Shell history	`dig`, `nslookup`	DNS discovery	High	Infrastructure mapping.
`auditd`	network tool execution	Process attribution	Critical	Best attribution if enabled.
Network logs	sequential internal probes	Critical	Strong recon evidence.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Recon immediately after login	Manual foothold progression	Critical	Common attacker sequence.
`ip route` then SSH movement	Route-aware pivoting	Critical	Strong movement chain.
ARP review before lateral movement	Local target selection	Critical	Common operator behavior.
Socket review before privilege abuse	Service target planning	High	Host-aware escalation.
`nmap` internal subnet scan	Broad recon	Critical	Strong hostile indicator.
DNS lookup of internal names	Infrastructure mapping	High	Environment awareness.
Recon under service account	Suspicious context	Critical	Exploitation shell likely.
`nc -zv` multiple hosts	Lightweight stealth scan	Critical	Strong operator pattern.
Hidden payload plus recon	Active intrusion	Critical	Strong combined signal.
Minimal recon but precise commands	Mature operator behavior	High	Skilled hands-on-keyboard clue.

Common Tools

Tool	Usage
`ip a`	Interface discovery.
`ip route`	Routing table review.
`arp -a`	Neighbor discovery.
`ss`	Socket inspection.
`netstat`	Legacy socket review.
`ping`	Reachability test.
`nc -zv`	Port probe.
`nmap`	Broad scan.
`dig` / `nslookup`	DNS resolution.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Shell history	`.bash_history`, `.zsh_history`	Critical	Recon command evidence.
Routing table	live system state	High	Context for movement paths.
ARP cache	`ip neigh` / `arp -a`	High	Nearby hosts discovered.
Socket list	`ss -tulpn`	Critical	Service context.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.
Firewall / flow logs	sequential probes	Critical	Network truth.

MITRE ATT&CK References

T1016 System Network Configuration Discovery
T1046 Network Service Scanning
T1018 Remote System Discovery

Decision Tree

Was network recon performed?
- Search shell history and audit logs.
Was local network mapped?
- Interfaces, routes, ARP, sockets.
Were remote targets probed?
- Ping, nc, nmap, DNS.
Did recon lead to movement?
- SSH, scp, credential use.
Is context suspicious?
- Service account, web shell, fresh foothold.
Pivot
- Routes → reachable targets.
- ARP → local host list.
- Scan targets → next-stage movement.
Confirm hostile recon
- Recon commands + suspicious context + follow-on action = strong discovery finding.

Example Detection Templates

Grep

grep -R "ip a\|ifconfig\|ip route\|route -n\|arp -a\|ss -tulpn\|netstat -tulpn\|hostname -I\|ping \|nc -zv\|nmap \|dig \|nslookup " /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep -E "nmap|netstat|ss|ping"

File Inspection

ip a

ip route

Sigma

title: Linux Network Reconnaissance
id: linux-network-reconnaissance
status: experimental
description: Detects suspicious Linux network discovery and scanning activity
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'ip route'
      - 'arp -a'
      - 'ss -tulpn'
      - 'nmap'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate troubleshooting
level: medium
tags:
  - attack.discovery
  - attack.t1016

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Auditd	Track recon commands	High	Strong attribution.
Network segmentation	Limit reachable east-west scope	Critical	Reduces recon value.
Shell logging	Preserve command history centrally	High	Retains early discovery steps.
EDR network alerts	Detect scanning bursts	High	Strong runtime visibility.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Was route checked?	grep history	Immediate network intent clue.
Were nearby hosts enumerated?	arp usage	Local target selection.
Were sockets inspected?	ss / netstat	Service awareness.
Was subnet scanned?	nmap / nc / ping	Strong hostile recon.
Did recon lead to SSH?	correlate next commands	Movement progression.

High Value Grep Strings

Pattern	Why It Matters
`ip a`	Interface discovery.
`ip route`	Routing awareness.
`arp -a`	Neighbor discovery.
`ss -tulpn`	Service discovery.
`nc -zv`	Port probing.
`nmap`	Broad scanning.
`dig`	DNS infrastructure discovery.

Analyst Notes

Scenario	Interpretation
`ip route` then SSH	Route-aware pivot likely.
`arp -a` then internal scans	Local target discovery chain.
`nmap` under service account	Strong hostile signal.
`ss -tulpn` then exploit attempt	Local service targeting.
Minimal recon but precise routes	Mature operator behavior.
Recon immediately after foothold	Strong manual intrusion signal.