Reconnaissance Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Attacker Tools On Endpoint	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning	TTP	CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig	2024-09-30
Kerberos User Enumeration	Windows Event Log Security 4768	Gather Victim Identity Information Email Addresses	Anomaly	Active Directory Kerberos Attacks	2024-09-30
Recon AVProduct Through Pwh or WMI	Powershell Script Block Logging 4104	Gather Victim Host Information	TTP	Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation	2024-09-30
Recon Using WMI Class	Powershell Script Block Logging 4104	Gather Victim Host Information PowerShell	Anomaly	AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot	2024-09-30
System Info Gathering Using Dxdiag Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Gather Victim Host Information	Hunting	Remcos	2024-10-17
Wermgr Process Connecting To IP Check Web Services	Sysmon EventID 22	Gather Victim Network Information IP Addresses	TTP	Trickbot	2024-09-30
Windows DNS Gather Network Info	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DNS	Anomaly	Sandworm Tools, Volt Typhoon	2024-09-30
Windows Gather Victim Host Information Camera	Powershell Script Block Logging 4104	Hardware Gather Victim Host Information	Anomaly	DarkCrystal RAT	2024-09-30
Windows Gather Victim Identity SAM Info	Sysmon EventID 7	Credentials Gather Victim Identity Information	Hunting	Brute Ratel C4	2024-10-17
Windows Gather Victim Network Info Through Ip Check Web Services	Sysmon EventID 22	IP Addresses Gather Victim Network Information	Hunting	Azorult, DarkCrystal RAT, Handala Wiper, Phemedrone Stealer, Snake Keylogger	2024-10-17
WMI Recon Running Process Or Services	Powershell Script Block Logging 4104	Gather Victim Host Information	Anomaly	Data Destruction, Hermetic Wiper, Malicious PowerShell	2024-09-30
Internal Vulnerability Scan		Vulnerability Scanning Network Service Discovery	TTP	Network Discovery	2024-10-17