GitHub Repo

Reconnaissance Detections

Name Data Source Technique Type Analytic Story Date
Windows Gather Victim Identity SAM Info Sysmon EventID 7 T1589.001 Hunting Brute Ratel C4 2026-05-13
Recon Using WMI Class Powershell Script Block Logging 4104 T1059.001 T1592 Anomaly Scattered Spider, Quasar RAT, Axios Supply Chain Post Compromise, Malicious Inno Setup Loader, BlankGrabber Stealer, Hermetic Wiper, LockBit Ransomware, Data Destruction, Malicious PowerShell, AsyncRAT, Industroyer2, VIP Keylogger, Qakbot, MoonPeak 2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API Cisco Network Visibility Module Flow Data T1016 T1590.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT 2026-05-13
System Info Gathering Using Dxdiag Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1592 Hunting Remcos 2026-05-13
Recon AVProduct Through Pwh or WMI Powershell Script Block Logging 4104 T1592 TTP Quasar RAT, Ransomware, XWorm, Windows Post-Exploitation, Prestige Ransomware, Hermetic Wiper, Data Destruction, Malicious PowerShell, Qakbot, MoonPeak 2026-05-13
WMI Recon Running Process Or Services Powershell Script Block Logging 4104 T1592 Anomaly Hermetic Wiper, Data Destruction, Malicious PowerShell 2026-05-13
Kerberos User Enumeration Windows Event Log Security 4768 T1589.002 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows Gather Victim Host Information Camera Powershell Script Block Logging 4104 T1592.001 Anomaly DarkCrystal RAT 2026-05-13
Windows DNS Gather Network Info CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1590.002 Anomaly Volt Typhoon, Sandworm Tools 2026-05-13
Windows Detect Network Scanner Behavior Sysmon EventID 3 T1595.001 T1595.002 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Cisco Network Visibility Module Flow Data T1003 T1036.005 T1595 TTP Scattered Spider, PHP-CGI RCE Attack on Japanese Organizations, XMRig, CISA AA22-264A, Compromised Windows Host, Unusual Processes, SamSam Ransomware, Cisco Network Visibility Module Analytics 2026-05-13
Windows Netspy Network Scanner Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1018 T1595 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows WinPEAS PowerShell Script Execution Powershell Script Block Logging 4104 T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615 TTP Windows Post-Exploitation 2026-05-13
Local LLM Framework DNS Query Sysmon EventID 22 T1590 Hunting Suspicious Local LLM Frameworks 2026-05-13
Linux Medusa Rootkit Sysmon for Linux EventID 11 T1014 T1589.001 TTP China-Nexus Threat Activity, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, Medusa Rootkit 2026-05-13
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 T1021.001 T1598.002 TTP Spearphishing Attachments, Interlock Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
Cisco ASA - Reconnaissance Command Activity Cisco ASA Logs T1082 T1590.001 T1590.005 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance Ollama Server T1595 Anomaly Suspicious Ollama Activities 2026-05-13
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 T1590.005 Anomaly Phemedrone Stealer, 0bj3ctivity Stealer, Quasar RAT, Void Manticore, BlankGrabber Stealer, Azorult, Castle RAT, PXA Stealer, Snake Keylogger, Meduza Stealer, VIP Keylogger, DarkCrystal RAT, Water Gamayun, Handala Wiper 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13