Merge PR SigmaHQ#5013 from @ruppde - Update linux scanning rules

update: Linux HackTool Execution - Remove "zenmap" and "nmap" as they are already covered by 3e102cd9-a70d-4a7a-9508-403963092f31
update: Linux Network Service Scanning Tools Execution - Add "zenmap" utility

rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml

@@ -14,7 +14,7 @@ references:
     - https://github.com/Pennyw0rth/NetExec/
 author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
 date: 2023-01-03
-modified: 2023-10-25
+modified: 2024-09-19
 tags:
     - attack.execution
     - attack.resource-development
@@ -47,10 +47,8 @@ detection:
             - '/legion'
             - '/naabu'
             - '/netdiscover'
-            - '/nmap'
             - '/nuclei'
             - '/recon-ng'
-            - '/zenmap'
     selection_scanners_sniper:
         Image|contains: '/sniper'
     selection_web_enum:

rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/Tib3rius/AutoRecon
 author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
 date: 2020-10-21
-modified: 2023-10-25
+modified: 2024-09-19
 tags:
     - attack.discovery
     - attack.t1046
@@ -32,6 +32,7 @@ detection:
             - '/nmap'
             - '/nping'
             - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
+            - '/zenmap'
     filter_main_netcat_listen_flag:
         CommandLine|contains:
             - ' --listen '