Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Read More

Detects the use of "sw_vers" for system information discovery

Read More

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Read More

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Read More

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Read More

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Read More

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Read More

Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Read More

Detects the execution of whoami.exe with suspicious parent processes.

Read More

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Read More

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Read More

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

Read More

Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.

Read More

Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Read More

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Read More

Detects enumeration of local network configuration

Read More

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

Read More

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Read More

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Read More

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Read More

Detects potential Active Directory enumeration via LDAP

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

Read More

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

Read More

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Read More

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Read More

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Read More

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Read More

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Read More

This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.

Read More

This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.

Read More

Detects user data export activity.

Read More

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Read More

Collect pertinent data from the configuration files

Read More

Find information about network devices that is not stored in config files

Read More

Show when a monitor or a span/rspan is setup or modified

Read More

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Read More

Detects use of chcp to look up the system locale value as part of host discovery

Read More

Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem

Read More

Detects usage of crontab to list the tasks of the user

Read More

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Read More

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Read More

Enumerates Active Directory to determine computers that are joined to the domain

Read More

Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.

Read More

Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.

Read More

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

Read More

Detects DNS server discovery via LDAP query requests from uncommon applications

Read More

Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery

Read More

Detects execution of "dsquery.exe" for domain trust discovery

Read More

Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers

Read More

Detects the execution of "whoami.exe" with the "/all" flag

Read More

Detects usage of system utilities to discover files and directories

Read More

Detects usage of system utilities to discover files and directories

Read More

Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.

Read More

Attackers may leverage fsutil to enumerated connected drives.

Read More

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Read More

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects when storage bucket is enumerated in Google Cloud.

Read More

Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information

Read More

Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.

Read More

Detects command line parameters used by Bloodhound and Sharphound hack tools

Read More

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.

Read More

Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

Detect the harvesting of wifi credentials using netsh.exe

Read More

Detects enumeration of local or remote network services.

Read More

Detects the enumeration of other remote systems.

Read More

Local accounts, System Owner/User discovery using operating systems utilities

Read More

Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings

Read More

Detects enumeration of local system groups

Read More

Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Read More

Detects enumeration of local systeam accounts on MacOS

Read More

Detects enumeration of local or remote network services.

Read More

Detects the enumeration of other remote systems.

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects a set of suspicious network related commands often used in recon stages

Read More

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects the execution of netsh with the "trace" flag in order to start a network capture

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Read More

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Read More

Detects password policy discovery commands

Read More

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

Read More

Detects when the password policy is enumerated.

Read More

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

Read More

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Read More

Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects read access to a domain user from a non-machine account

Read More

Detects activity that could be related to Baby Shark malware

Read More

Looks for potential enumeration of AWS buckets via ListBuckets.

Read More

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

Read More

Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.

Read More

Detects usage of "find" binary in a suspicious manner to perform discovery

Read More

Detects usage of "find" binary in a suspicious manner to perform discovery

Read More

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects the use of grep to discover specific files created by the GobRAT malware

Read More

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.

Read More

Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

Read More

Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers

Read More

Detects nltest commands that can be used for information discovery

Read More

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Read More

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Read More

Detects technique used by MAZE ransomware to enumerate directories using Powershell

Read More

Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers

Read More

Detect adversaries enumerate sensitive files

Read More

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

Read More

Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network

Read More

Detects AdFind execution with common flags seen used during attacks

Read More

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP

Read More

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More

Detect the update check performed by Advanced IP/Port Scanner utilities.

Read More

Detects the use of Advanced Port Scanner.

Read More

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

Read More

Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation

Read More

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Read More

Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.

Read More

Detects active directory enumeration activity using known AdFind CLI flags

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Read More

Detects remote RPC calls to read information about scheduled tasks via SASec

Read More

Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.

Read More

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Read More

Detects remote RPC calls to get event log information via EVEN or EVEN6

Read More

Detects remote RPC calls to collect information

Read More

Detects remote RPC calls to read information about scheduled tasks via AtScv

Read More

Detects remote RPC calls to read information about scheduled tasks

Read More

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Read More

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Read More

Detects the execution of whoami that has been renamed to a different name to avoid detection

Read More

Detects handles requested to SAM registry hive

Read More

Detects non-system users failing to get a handle of the SCM database.

Read More

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

Read More

Detects usage of system utilities (only grep and egrep for now) to discover security software discovery

Read More

Detects usage of system utilities (only grep for now) to discover security software discovery

Read More

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

Read More

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Read More

Detects source code enumeration that use GET requests by keyword searches in URL strings

Read More

Use of hostname to get information

Read More

Detects usage of the "systeminfo" command to retrieve information

Read More

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Read More

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Read More

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Read More

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Read More

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

Read More

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Read More

Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.

Read More

Detects the use of PowerShell to identify the current logged user.

Read More

Get the processes that are running on the local computer.

Read More

Use of reg to get MachineGuid information

Read More

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

Read More

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Read More

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Read More

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Read More

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Read More

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

Read More

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

Read More

Detects handle requests and access operations to specific registry keys to calculate the SysKey

Read More

Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).

Read More

Detects system information discovery commands

Read More

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More

Detects system information discovery commands

Read More

Detects System Information Discovery commands

Read More

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

Read More

Detects usage of system utilities to discover system network connections

Read More

Detects usage of system utilities to discover system network connections

Read More

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Read More

Detects enumeration of local network configuration

Read More

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Read More

Detects automated lateral movement by Turla group

Read More