Reconnaissance (TA0043) Techniques
Reconnaissance is the tactic used by adversaries to gather information about a target network, system, or organisation before launching an attack.
1. T1595 - Active Scanning
Objective: Detect network scanning activities indicative of reconnaissance.
Detect IP Block Scanning
DeviceNetworkEvents | where RemoteIP != "127.0.0.1" | summarize count() by RemoteIP, LocalIP, LocalPort | where count() > 50Purpose: Identify scanning of multiple IP blocks from a single IP address.
Monitor for Multiple Port Scans
DeviceNetworkEvents | summarize port_count=count() by RemoteIP, LocalPort | where port_count > 20Purpose: Detect scanning of multiple ports by a single IP address.
Detect SYN Scans
DeviceNetworkEvents | where ActionType == "ConnectionInitiated" and Protocol == "TCP" and TcpFlags == "SYN" | summarize count() by RemoteIP, LocalIP | where count() > 100Purpose: Identify SYN scanning activity.
Identify ICMP Ping Sweeps
DeviceNetworkEvents | where Protocol == "ICMP" and ICMPType == 8 | summarize count() by RemoteIP, LocalIP | where count() > 50Purpose: Detect ICMP echo requests (pings) across multiple IP addresses.
Detect Scanning on Common Service Ports
DeviceNetworkEvents | where LocalPort in (22, 23, 80, 443, 3389) | summarize count() by RemoteIP, LocalPort | where count() > 10Purpose: Identify scans targeting common service ports.
Monitor for Unusual Network Traffic Patterns
Purpose: Detect unusual traffic patterns that may indicate active scanning.
Identify Excessive DNS Queries
Purpose: Monitor for excessive DNS queries that may indicate domain reconnaissance.
Detect Network Scanning Tools
Purpose: Identify known network scanning tools in use.
Monitor for Unusual HTTP Requests
Purpose: Detect reconnaissance through unusual HTTP GET requests.
Detect Suspicious Network Connection Attempts
Purpose: Identify repeated connection failures that may indicate scanning.
2. T1590 - Gather Victim Network Information
Objective: Detect activities aimed at collecting information about the target network, such as IP ranges, domain names, and network topology.
Monitor for ARP Scans
Purpose: Detect ARP scanning activity used to map network topology.
Identify DNS Zone Transfer Attempts
Purpose: Monitor for DNS zone transfer requests that may indicate network reconnaissance.
Detect SMB Enumeration
Purpose: Identify attempts to enumerate SMB shares on the network.
Monitor for LDAP Enumeration
Purpose: Detect LDAP queries that may indicate attempts to gather network information.
Identify Use of Network Mapping Tools
Purpose: Monitor for the use of network mapping tools.
Detect ICMP Traceroute Attempts
Purpose: Identify traceroute attempts using ICMP.
Monitor for DNS Query Flooding
Purpose: Detect excessive DNS queries aimed at gathering network information.
Detect TCP/IP Fingerprinting Attempts
Purpose: Identify attempts to fingerprint the network using TCP/IP.
Identify HTTP Enumeration Activity
Purpose: Monitor for HTTP requests that may indicate enumeration of network resources.
Monitor for SNMP Queries
Purpose: Detect SNMP queries that may be used to gather network information.
3. T1592 - Gather Victim Host Information
Objective: Detect attempts to collect information about victim hosts, including operating system details, hardware configuration, and installed software.
Detect Host Fingerprinting Attempts
Purpose: Identify host information gathering commands.
Monitor for Enumeration of Installed Software
Purpose: Detect enumeration of installed software on victim hosts.
Detect Querying of System Configuration
Purpose: Identify attempts to query system configuration.
Identify Registry Enumeration
Purpose: Monitor for enumeration of the Windows registry.
Monitor for OS Version Enumeration
Purpose: Detect attempts to gather OS version information.
Detect Running Process Enumeration
Purpose: Identify enumeration of running processes on victim hosts.
Monitor for PowerShell Reconnaissance Commands
Purpose: Detect the use of PowerShell commands to gather host information.
Identify Enumeration of Active Network Connections
Purpose: Monitor for enumeration of active network connections.
Detect Attempts to Query BIOS Information
Purpose: Identify attempts to gather BIOS information.
Monitor for Enumeration of User Accounts
Purpose: Detect enumeration of user accounts on the host.
4. T1591 - Gather Victim Identity Information
Objective: Detect activities aimed at collecting information about user identities, such as account credentials, email addresses, and group memberships.
Detect Enumeration of Active Directory Users
Purpose: Identify enumeration of Active Directory users.
Monitor for Group Membership Queries
Purpose: Detect attempts to enumerate group memberships.
Identify LDAP Queries for User Information
Purpose: Monitor for LDAP queries aimed at gathering user information.
Monitor for Attempts to Access Credential Stores
Purpose: Detect attempts to access stored credentials.
Detect Enumeration of Domain Admin Accounts
Purpose: Identify attempts to enumerate domain admin accounts.
Monitor for Access to Password Files
Purpose: Detect access to files that may contain passwords.
Detect Enumeration of Service Accounts
Purpose: Identify enumeration of service accounts.
Monitor for Attempts to Query Email Addresses
Purpose: Detect attempts to gather email addresses from Active Directory.
Identify Enumeration of Privileged Accounts
Purpose: Monitor for enumeration of privileged accounts.
Detect Attempts to Query Group Policy Information
Purpose: Identify attempts to query group policy information.
5. T1596 - Search Open Websites/Domains
Objective: Detect attempts to gather information about the target organization from public websites, domains, and other online resources.
Monitor for Access to Public Web Resources
Purpose: Identify access to public websites that may be used for reconnaissance.
Detect Searches for Company Information
Purpose: Monitor for searches related to the target company.
Identify Access to Domain Registration Information
Purpose: Detect attempts to gather domain registration information.
Monitor for Public Code Repository Access
Purpose: Identify access to public code repositories that may contain company information.
Detect Access to Online Forums and Paste Sites
Purpose: Monitor access to online forums and paste sites that may be used to gather information.
Identify Use of Search Engines for Reconnaissance
Purpose: Detect search engine queries that may indicate reconnaissance.
Monitor for Access to Social Media Profiles
Purpose: Identify access to social media profiles that may be used for gathering information about employees.
Detect Access to Online Employee Directories
Purpose: Monitor for access to online employee directories.
Identify Access to Government Websites
Purpose: Detect access to government websites that may indicate reconnaissance on publicly available information.
Monitor for Access to Industry-Specific Websites
Purpose: Identify access to industry-specific websites that may be used for reconnaissance.
6. T1593 - Search Open Technical Databases
Objective: Detect attempts to gather information about the target organization from public technical databases, such as vulnerability databases, code repositories, or security forums.
Monitor for Access to Vulnerability Databases
Purpose: Identify access to vulnerability databases.
Detect Searches for Specific CVEs
Purpose: Monitor for searches related to specific CVEs.
Identify Access to Public Code Repositories
Purpose: Detect access to public code repositories that may contain exploitable code.
Monitor for Access to Security Forums
Purpose: Identify access to security forums that may be used for reconnaissance.
Detect Access to Online Penetration Testing Resources
Purpose: Monitor for access to online resources used for penetration testing.
Identify Use of Search Engines for Technical Information
Purpose: Detect search engine queries related to technical information.
Monitor for Access to Security Research Blogs
Purpose: Identify access to security research blogs.
Detect Access to Public Malware Repositories
Purpose: Monitor for access to public malware repositories.
Identify Access to Bug Bounty Platforms
Purpose: Detect access to bug bounty platforms.
Monitor for Access to Open Vulnerability Scanners
Purpose: Identify access to open-source vulnerability scanners.
7. T1594 - Search Open Source Code Repositories
Objective: Detect attempts to gather information about the target organization from public source code repositories, such as GitHub, GitLab, or Bitbucket.
Monitor for Access to Public Code Repositories
Purpose: Identify access to public code repositories.
Detect Searches for Company-Related Code
Purpose: Monitor for searches related to the target company.
Identify Access to Forked Repositories
Purpose: Detect access to forked repositories that may contain sensitive information.
Monitor for Cloning of Public Repositories
Purpose: Identify attempts to clone public repositories.
Detect Access to Private Code Repositories
Purpose: Monitor for access to private code repositories.
Identify Use of Search Engines to Locate Code Repositories
Purpose: Detect search engine queries aimed at locating code repositories.
Monitor for Access to Public Code Snippets
Purpose: Identify access to public code snippets that may contain sensitive information.
Detect Access to Publicly Shared Secrets
Purpose: Monitor for searches related to secrets in public repositories.
Identify Unauthorized Downloads of Source Code
Purpose: Detect unauthorized downloads of source code from public repositories.
Monitor for Access to Deprecated Repositories
Purpose: Identify access to deprecated repositories that may still contain valuable information.
8. T1597 - Search Closed Sources
Objective: Detect attempts to gather information from closed sources, such as internal documentation, proprietary software, or private forums.
Monitor for Access to Internal Documentation Sites
Purpose: Identify access to internal documentation that may contain sensitive information.
Detect Attempts to Access Proprietary Software
Purpose: Monitor for attempts to access proprietary software.
Identify Access to Private Forums or Discussion Boards
Purpose: Detect access to private forums or discussion boards.
Monitor for Searches in Internal Knowledge Bases
Purpose: Identify searches in internal knowledge bases that may indicate reconnaissance.
Detect Unauthorized Access to Internal Git Repositories
Purpose: Monitor for unauthorized access to internal Git repositories.
Identify Access to Internal Training Materials
Purpose: Detect access to internal training materials that may contain sensitive information.
Monitor for Attempts to Access Internal APIs
Purpose: Identify attempts to access internal APIs.
Detect Access to Internal Bug Tracking Systems
Purpose: Monitor for access to internal bug tracking systems.
Identify Unauthorized Access to HR Systems
Purpose: Detect unauthorized access to HR systems.
Monitor for Access to Internal Email Systems
Purpose: Identify access to internal email systems.
9. T1598 - Phishing for Information
Objective: Detect phishing attempts aimed at gathering information from users, such as credentials, financial information, or sensitive documents.
Monitor for Emails Containing Suspicious Links
Purpose: Identify emails with links that could lead to phishing websites.
Detect Emails Containing Suspicious Attachments
Purpose: Monitor for emails with suspicious attachments.
Identify Emails with Urgent Requests
Purpose: Detect phishing emails using urgency to deceive users.
Monitor for Emails Spoofing Internal Addresses
Purpose: Identify emails spoofing internal addresses.
Detect Phishing Emails Targeting Executives
Purpose: Monitor for phishing emails targeting executives.
Identify Emails Requesting Sensitive Information
Purpose: Detect emails requesting sensitive information.
Monitor for Emails with Suspicious Reply-To Addresses
Purpose: Identify emails with suspicious reply-to addresses.
Detect Phishing Emails with Suspicious Macros
Purpose: Monitor for phishing emails with attachments containing macros.
Identify Emails Containing Suspicious Content
Purpose: Detect phishing emails with suspicious content.
Monitor for Suspicious Email Activity Following a Phishing Attempt
Purpose: Identify suspicious login activity following a phishing attempt.
10. T1599 - Social Engineering
Objective: Detect attempts to manipulate or deceive users to gain information or access, such as through phone calls, messages, or in-person interactions.
Monitor for Unusual Outbound Communication
Purpose: Identify unusual outbound communication that may indicate social engineering.
Detect Unusual Volume of Emails Sent by a Single User
Purpose: Monitor for users sending an unusually high volume of emails, possibly as part of a phishing campaign.
Identify Access to Social Media Sites
Purpose: Monitor for access to social media sites that may be used for social engineering.
Monitor for Unauthorized External Phone Calls
Purpose: Detect unauthorized phone calls made using VoIP.
Detect Unusual Text Messaging Activity
Purpose: Identify unusual text messaging activity that may indicate social engineering.
Monitor for Users Accessing Personal Email Accounts
Purpose: Detect users accessing personal email accounts that may be targeted for social engineering.
Identify Attempts to Access HR Systems
Purpose: Monitor for unauthorized attempts to access HR systems.
Detect Unauthorized Remote Access Attempts
Purpose: Identify unauthorized remote access attempts that may indicate social engineering.
Monitor for Unusual Requests for Assistance
Purpose: Detect unusual requests for assistance that may be social engineering attempts.
Identify Attempts to Bypass Security Controls
Purpose: Monitor for attempts to disable or bypass security controls, which may be related to social engineering.
Last updated