SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Discovery Activities (MITRE ATT&CK: T1016, T1083, T1046)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Discovery Activities (MITRE ATT&CK: T1016, T1083, T1046)

Overview:

Discovery tactics involve gathering information about the network, system, and security settings. Adversaries often use built-in tools to map out the environment and plan further attacks, such as lateral movement.

25 Example Queries for Actor Discovery Detection:

  1. Detect Network Enumeration via Netstat Netstat reveals active connections, open ports, and listening services.

DeviceProcessEvents | where FileName == "netstat.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor the Use of Ipconfig for Network Discovery Ipconfig provides detailed information about network interfaces.

DeviceProcessEvents | where FileName == "ipconfig.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Nslookup for DNS Reconnaissance Nslookup is used to query DNS records, revealing internal services.

DeviceProcessEvents | where FileName == "nslookup.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect ARP Scans for Network Mapping Arp scans are used to discover devices on the same network segment.

DeviceProcessEvents | where FileName == "arp.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor the Use of Nbtstat for Network Resource Enumeration Nbtstat queries NetBIOS over TCP/IP to reveal network resources.

DeviceProcessEvents | where FileName == "nbtstat.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Use of Whoami for Privilege Discovery Whoami is often used to check the current user’s privileges.

DeviceProcessEvents | where FileName == "whoami.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect PowerShell Use for Active Directory Enumeration Attackers may use PowerShell to enumerate AD objects and user groups.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has_any ("Get-ADUser", "Get-ADGroup") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor the Use of Net View for Listing Network Shares Net view lists available shares on the network, often used by attackers.

DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has "view" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Execution of Tasklist for Process Enumeration Tasklist is used to list all running processes on a system.

DeviceProcessEvents | where FileName == "tasklist.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Execution of Systeminfo for System Information Discovery Systeminfo provides information about the operating system and hardware.

DeviceProcessEvents | where FileName == "systeminfo.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Execution of Net Use for Drive Mapping Net use can be used to connect to network drives and shares.

DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has "use" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track WMIC Commands for System Discovery WMIC can retrieve information about operating systems, processes, and services.

DeviceProcessEvents | where FileName == "wmic.exe" and ProcessCommandLine has_any ("os get", "process call create") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Use of Ping for Host Discovery Ping is often used to test connectivity and discover active hosts.

DeviceProcessEvents | where FileName == "ping.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Execution of Route for Network Route Discovery Route.exe can display or modify the IP routing table.

DeviceProcessEvents | where FileName == "route.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Use of Getmac for MAC Address Discovery Getmac retrieves the MAC addresses of network adapters.

DeviceProcessEvents | where FileName == "getmac.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Unusual SMB Traffic for Network Enumeration SMB traffic may be indicative of network reconnaissance activities.

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "ConnectionSuccess" | summarize count() by DeviceName, RemoteIP, AccountName

  1. Track Execution of Reg.exe for Registry Enumeration Reg.exe is used to query or modify Windows registry entries.

DeviceProcessEvents | where FileName == "reg.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Use of NetSh for Network Configuration Changes NetSh can be used to query or modify network configurations.

DeviceProcessEvents | where FileName == "netsh.exe" and ProcessCommandLine has_any ("firewall", "interface") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Execution of PowerShell Network Discovery Scripts PowerShell scripts can perform various network discovery tasks.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has_any ("Test-Connection", "Get-NetIPAddress") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Use of Network Sniffing Tools (Tcpdump, Wireshark) Network sniffing tools can be used for passive network reconnaissance.

DeviceProcessEvents | where FileName in ("tcpdump.exe", "wireshark.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor the Use of PsExec for Remote Execution PsExec is often used to execute commands remotely across the network.

DeviceProcessEvents | where FileName == "psexec.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Use of PowerShell Remoting Commands PowerShell remoting commands such as New-PSSession may indicate lateral movement attempts.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "New-PSSession" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Netstat for Port and Connection Enumeration Netstat is used to view active network connections and ports.

DeviceProcessEvents | where FileName == "netstat.exe" and ProcessCommandLine has "an" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect DNS Query Tools for Domain Discovery (Nslookup, Dig) DNS query tools like nslookup and dig are used for DNS reconnaissance.

DeviceProcessEvents | where FileName in ("nslookup.exe", "dig.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Use of GPResult for Group Policy Enumeration GPResult provides details about applied Group Policy settings.

DeviceProcessEvents | where FileName == "gpresult.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
PreviousDetecting Malware Infection (MITRE ATT&CK: T1566, T1059)NextCredential Theft (MITRE ATT&CK: T1003, T1078)

Last updated