attack.discovery

DirectorySearcher Powershell Exploitation
level
status experimental

Enumerates Active Directory to determine computers that are joined to the domain

Run Whoami as Privileged User
level
status experimental

Detects a whoami.exe executed by privileged accounts that are often misused by threat actors

Redirect Output in CommandLine
level
status experimental

Use “>” to redicrect information in commandline

Suspicious Use of PsLogList
level
status experimental

Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.

Advanced Port Scanner
level
status experimental

Detects the use of Advanced Port Scanner.

Suspicious Findstr 385201 Execution
level
status experimental

Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).

Security Software Discovery by Powershell
level
status experimental

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru

Suspicious Get Information for SMB Share
level
status experimental

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User
level
status experimental

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Powershell File and Directory Discovery
level
status experimental

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Suspicious AdFind Enumerate
level
status experimental

Detects the execution of a AdFind for enumeration

Suspicious Where Execution
level
status experimental

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Automated Collection Bookmarks Using Get-ChildItem PowerShell
level
status experimental

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Suspicious Get Local Groups Information with WMIC
level
status experimental

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Suspicious Get Local Groups Information
level
status experimental

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Use Get-NetTCPConnection
level
status experimental

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Use Get-NetTCPConnection
level
status experimental

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Suspicious Execution of SharpView Aka PowerView
level
status experimental

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Suspicious Nmap Execution
level
status experimental

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

Python Initiated Connection
level
status experimental

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

WhoAmI as Parameter
level
status experimental

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

AzureHound PowerShell Commands
level
status experimental

Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound

Correct Execution of Nltest.exe
level
status experimental

The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.

Azure AD Health Service Agents Registry Keys Access
level
status experimental

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Azure AD Health Monitoring Agent Registry Keys Access
level
status experimental

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Powershell Suspicious Win32_PnPEntity
level
status experimental

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

Google Cloud Storage Buckets Enumeration
level
status experimental

Detects when storage bucket is enumerated in Google Cloud.

PowerShell ADRecon Execution
level
status experimental

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Account Enumeration on AWS
level
status experimental

Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.

Suspicious AdFind Execution
level
status experimental

Detects the execution of a AdFind for Active Directory enumeration

Windows Pcap Drivers
level
status test

Detects Windows Pcap driver installation based on a list of associated .sys files.

Advanced IP Scanner
level
status experimental

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Enumeration via the Global Catalog
level
status experimental

Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.

Harvesting of Wifi Credentials Using netsh.exe
level
status test

Detect the harvesting of wifi credentials using netsh.exe

Trickbot Malware Recon Activity
level
status test

Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.

Operation Wocao Activity
level
status experimental

Detects activity mentioned in Operation Wocao report

Bloodhound and Sharphound Hack Tool
level
status test

Detects command line parameters used by Bloodhound and Sharphound hack tools

Cisco Sniffing
level
status test

Show when a monitor or a span/rspan is setup or modified

Cisco Discovery
level
status test

Find information about network devices that is not stored in config files

Cisco Collect Data
level
status test

Collect pertinent data from the configuration files

SAM Registry Hive Handle Request
level
status test

Detects handles requested to SAM registry hive

Network Sniffing
level
status test

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Windows Network Enumeration
level
status stable

Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.

System Owner or User Discovery
level
status test

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Query Registry
level
status test

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Capture a Network Trace with netsh.exe
level
status test

Detects capture a network trace via netsh.exe trace functionality

SysKey Registry Keys Access
level
status test

Detects handle requests and access operations to specific registry keys to calculate the SysKey

SCM Database Handle Failure
level
status experimental

Detects non-system users failing to get a handle of the SCM database.

Hacktool Ruler
level
status experimental

This events that are generated when using the hacktool Ruler by Sensepost

Baby Shark Activity
level
status test

Detects activity that could be related to Baby Shark malware

Whoami Execution Anomaly
level
status experimental

Detects the execution of whoami with suspicious parents or parameters

Whoami Execution
level
status test

Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators

Suspicious Reconnaissance Activity
level
status experimental

Detects suspicious command line activity on Windows systems

Renamed Whoami Execution
level
status experimental

Detects the execution of whoami that has been renamed to a different name to avoid detection

Net.exe Execution
level
status experimental

Detects execution of Net.exe, whether suspicious or benign.

Dridex Process Pattern
level
status test

Detects typical Dridex process patterns

Turla Group Lateral Movement
level
status experimental

Detects automated lateral movement by Turla group

System Network Discovery - macOS
level
status test

Detects enumeration of local network configuration

System Network Discovery - Linux
level
status test

Detects enumeration of local network configuration

System Network Connections Discovery
level
status test

Detects usage of system utilities to discover system network connections

System Network Connections Discovery
level
status test

Detects usage of system utilities to discover system network connections

System Information Discovery
level
status stable

Detects system information discovery commands

System Information Discovery
level
status experimental

Detects System Information Discovery commands

Suspicious Sc Query
level
status experimental

Adversaries may try to get information about registered services

Suspicious Query of MachineGUID
level
status experimental

Use of reg to get MachineGuid information

Suspicious Network Command
level
status experimental

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Suspicious Netsh Discovery Command
level
status experimental

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Suspicious Execution of Adidnsdump
level
status experimental

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP

Source Code Enumeration Detection by Keyword
level
status test

Detects source code enumeration that use GET requests by keyword searches in URL strings

Security Software Discovery
level
status test

Detects usage of system utilities (only grep for now) to discover security software discovery

Security Software Discovery
level
status test

Detects usage of system utilities (only grep for now) to discover security software discovery

Run Whoami Showing Privileges
level
status experimental

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.

Run Whoami as SYSTEM
level
status experimental

Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.

Remote Registry Management Using Reg Utility
level
status test

Remote registry management using REG utility from non-admin workstation

Reconnaissance Activity
level
status test

Detects activity as “net user administrator /domain” and “net group domain admins /domain”

Recon Activity with NLTEST
level
status experimental

Detects nltest commands that can be used for information discovery

Process Discovery
level
status stable

Detects process discovery commands

Password Policy Discovery
level
status stable

Detects password policy discovery commands

Network Sniffing
level
status test

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Network Scans Count By Destination Port
level
status experimental

Detects many failed connection attempts to different ports or hosts

Network Scans Count By Destination IP
level
status test

Detects many failed connection attempts to different ports or hosts

Network Reconnaissance Activity
level
status experimental

Detects a set of suspicious network related commands often used in recon stages

Macos Remote System Discovery
level
status test

Detects the enumeration of other remote systems.

MacOS Network Service Scanning
level
status test

Detects enumeration of local or remote network services.

Local System Accounts Discovery
level
status test

Detects enumeration of local systeam accounts

Local System Accounts Discovery
level
status test

Detects enumeration of local systeam accounts on MacOS

Local Groups Discovery
level
status test

Detects enumeration of local system groups

Local Groups Discovery
level
status test

Detects enumeration of local system groups

Linux Remote System Discovery
level
status test

Detects the enumeration of other remote systems.

Linux Network Service Scanning
level
status experimental

Detects enumeration of local or remote network services.

LDAP Reconnaissance / Active Directory Enumeration
level
status experimental

Detects possible Active Directory enumeration via LDAP

GatherNetworkInfo.vbs Script Usage
level
status experimental

Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target

File and Directory Discovery
level
status test

Detects usage of system utilities to discover files and directories

File and Directory Discovery
level
status test

Detects usage of system utilities to discover files and directories

Domain User Enumeration Network Recon 01
level
status experimental

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Detected Windows Software Discovery
level
status experimental

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

CrackMapExecWin
level
status test

Detects CrackMapExecWin Activity as Described by NCSC

AdFind Usage Detection
level
status test

AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Accesschk Usage After Privilege Escalation
level
status test

Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.