Reconnaissance Detections

Name Data Source Technique Type Analytic Story Date
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Kerberos User Enumeration Windows Event Log Security 4768 Gather Victim Identity Information Email Addresses Anomaly Active Directory Kerberos Attacks 2024-09-30
Recon AVProduct Through Pwh or WMI Powershell Script Block Logging 4104 Gather Victim Host Information TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation 2024-09-30
Recon Using WMI Class Powershell Script Block Logging 4104 Gather Victim Host Information PowerShell Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot 2024-09-30
System Info Gathering Using Dxdiag Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Gather Victim Host Information Hunting Remcos 2024-10-17
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 Gather Victim Network Information IP Addresses TTP Trickbot 2024-09-30
Windows DNS Gather Network Info CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DNS Anomaly Sandworm Tools, Volt Typhoon 2024-09-30
Windows Gather Victim Host Information Camera Powershell Script Block Logging 4104 Hardware Gather Victim Host Information Anomaly DarkCrystal RAT 2024-09-30
Windows Gather Victim Identity SAM Info Sysmon EventID 7 Credentials Gather Victim Identity Information Hunting Brute Ratel C4 2024-10-17
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 IP Addresses Gather Victim Network Information Hunting Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger 2024-11-28
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Remote Desktop Protocol TTP Spearphishing Attachments 2024-11-21
WMI Recon Running Process Or Services Powershell Script Block Logging 4104 Gather Victim Host Information Anomaly Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery 2024-10-17