Enumerates Active Directory to determine computers that are joined to the domain
Sponsored by
Enumerates Active Directory to determine computers that are joined to the domain
Detects a whoami.exe executed by privileged accounts that are often misused by threat actors
Use “>” to redicrect information in commandline
Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.
Detects the use of Advanced Port Scanner.
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Detects the execution of a AdFind for enumeration
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Use dir to collect information
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
Detects when storage bucket is enumerated in Google Cloud.
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
Detects the execution of a AdFind for Active Directory enumeration
Detects Windows Pcap driver installation based on a list of associated .sys files.
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
Detect the harvesting of wifi credentials using netsh.exe
Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.
Detects activity mentioned in Operation Wocao report
Detects command line parameters used by Bloodhound and Sharphound hack tools
Show when a monitor or a span/rspan is setup or modified
Find information about network devices that is not stored in config files
Collect pertinent data from the configuration files
Detects handles requested to SAM registry hive
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Detects capture a network trace via netsh.exe trace functionality
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Detects non-system users failing to get a handle of the SCM database.
This events that are generated when using the hacktool Ruler by Sensepost
Detects activity that could be related to Baby Shark malware
Detects the execution of whoami with suspicious parents or parameters
Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
Detects suspicious command line activity on Windows systems
Detects the execution of whoami that has been renamed to a different name to avoid detection
Detects execution of Net.exe, whether suspicious or benign.
Detects typical Dridex process patterns
Detects automated lateral movement by Turla group
Detects enumeration of local network configuration
Detects enumeration of local network configuration
Detects usage of system utilities to discover system network connections
Detects usage of system utilities to discover system network connections
Detects system information discovery commands
Detects System Information Discovery commands
Adversaries may try to get information about registered services
Use of reg to get MachineGuid information
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Use of systeminfo to get information
Use of hostname to get information
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Detects source code enumeration that use GET requests by keyword searches in URL strings
Detects usage of system utilities (only grep for now) to discover security software discovery
Detects usage of system utilities (only grep for now) to discover security software discovery
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
Remote registry management using REG utility from non-admin workstation
Detects activity as “net user administrator /domain” and “net group domain admins /domain”
Detects nltest commands that can be used for information discovery
Detects process discovery commands
Detects password policy discovery commands
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Detects many failed connection attempts to different ports or hosts
Detects many failed connection attempts to different ports or hosts
Detects a set of suspicious network related commands often used in recon stages
Detects the enumeration of other remote systems.
Detects enumeration of local or remote network services.
Detects enumeration of local systeam accounts
Detects enumeration of local systeam accounts on MacOS
Detects enumeration of local system groups
Detects enumeration of local system groups
Detects the enumeration of other remote systems.
Detects enumeration of local or remote network services.
Detects possible Active Directory enumeration via LDAP
Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
Detects usage of system utilities to discover files and directories
Detects usage of system utilities to discover files and directories
Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Detects CrackMapExecWin Activity as Described by NCSC
AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not