Reconnaissance (TA0043) Techniques

Reconnaissance is the tactic used by adversaries to gather information about a target network, system, or organisation before launching an attack.

1. T1595 - Active Scanning

Objective: Detect network scanning activities indicative of reconnaissance.

1. Detect IP Block Scanning

DeviceNetworkEvents | where RemoteIP != "127.0.0.1" | summarize count() by RemoteIP, LocalIP, LocalPort | where count() > 50

Purpose: Identify scanning of multiple IP blocks from a single IP address.

1. Monitor for Multiple Port Scans

DeviceNetworkEvents | summarize port_count=count() by RemoteIP, LocalPort | where port_count > 20

Purpose: Detect scanning of multiple ports by a single IP address.

1. Detect SYN Scans

DeviceNetworkEvents | where ActionType == "ConnectionInitiated" and Protocol == "TCP" and TcpFlags == "SYN" | summarize count() by RemoteIP, LocalIP | where count() > 100

Purpose: Identify SYN scanning activity.

1. Identify ICMP Ping Sweeps

DeviceNetworkEvents | where Protocol == "ICMP" and ICMPType == 8 | summarize count() by RemoteIP, LocalIP | where count() > 50

Purpose: Detect ICMP echo requests (pings) across multiple IP addresses.

1. Detect Scanning on Common Service Ports

DeviceNetworkEvents | where LocalPort in (22, 23, 80, 443, 3389) | summarize count() by RemoteIP, LocalPort | where count() > 10

Purpose: Identify scans targeting common service ports.

1. Monitor for Unusual Network Traffic Patterns

DeviceNetworkEvents | summarize count() by RemoteIP, LocalIP | where count() > 200

Purpose: Detect unusual traffic patterns that may indicate active scanning.

1. Identify Excessive DNS Queries

DeviceNetworkEvents | where RemotePort == 53 | summarize count() by RemoteIP, LocalIP | where count() > 100

Purpose: Monitor for excessive DNS queries that may indicate domain reconnaissance.

1. Detect Network Scanning Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("nmap", "masscan", "zmap") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify known network scanning tools in use.

1. Monitor for Unusual HTTP Requests

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where HttpMethod == "GET" and URL has_any ("/admin", "/login", "/.git") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect reconnaissance through unusual HTTP GET requests.

1. Detect Suspicious Network Connection Attempts

DeviceNetworkEvents | where ActionType == "ConnectionFailed" | summarize count() by RemoteIP, LocalIP | where count() > 50

Purpose: Identify repeated connection failures that may indicate scanning.

2. T1590 - Gather Victim Network Information

Objective: Detect activities aimed at collecting information about the target network, such as IP ranges, domain names, and network topology.

1. Monitor for ARP Scans

DeviceNetworkEvents | where Protocol == "ARP" and ActionType == "Request" | summarize count() by RemoteIP, LocalIP | where count() > 50

Purpose: Detect ARP scanning activity used to map network topology.

1. Identify DNS Zone Transfer Attempts

DeviceNetworkEvents | where RemotePort == 53 and ProcessCommandLine has "axfr" | project Timestamp, DeviceName, RemoteIP, ProcessCommandLine

Purpose: Monitor for DNS zone transfer requests that may indicate network reconnaissance.

1. Detect SMB Enumeration

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "Query" | summarize count() by RemoteIP, LocalIP | where count() > 10

Purpose: Identify attempts to enumerate SMB shares on the network.

1. Monitor for LDAP Enumeration

DeviceNetworkEvents | where RemotePort == 389 and ActionType == "Query" | summarize count() by RemoteIP, LocalIP | where count() > 10

Purpose: Detect LDAP queries that may indicate attempts to gather network information.

1. Identify Use of Network Mapping Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("net view", "netstat", "route print") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for the use of network mapping tools.

1. Detect ICMP Traceroute Attempts

DeviceNetworkEvents | where Protocol == "ICMP" and ICMPType == 8 and TTL < 5 | summarize count() by RemoteIP, LocalIP

Purpose: Identify traceroute attempts using ICMP.

1. Monitor for DNS Query Flooding

DeviceNetworkEvents | where RemotePort == 53 and ActionType == "Query" | summarize count() by RemoteIP | where count() > 200

Purpose: Detect excessive DNS queries aimed at gathering network information.

1. Detect TCP/IP Fingerprinting Attempts

DeviceNetworkEvents | where Protocol == "TCP" and ActionType == "ConnectionInitiated" | where TcpFlags == "SYN" and TTL > 100 | summarize count() by RemoteIP, LocalIP

Purpose: Identify attempts to fingerprint the network using TCP/IP.

1. Identify HTTP Enumeration Activity

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("/admin", "/login", "/config") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for HTTP requests that may indicate enumeration of network resources.

1. Monitor for SNMP Queries

DeviceNetworkEvents | where RemotePort == 161 and ActionType == "Query" | summarize count() by RemoteIP, LocalIP

Purpose: Detect SNMP queries that may be used to gather network information.

3. T1592 - Gather Victim Host Information

Objective: Detect attempts to collect information about victim hosts, including operating system details, hardware configuration, and installed software.

1. Detect Host Fingerprinting Attempts

DeviceProcessEvents | where ProcessCommandLine has_any ("systeminfo", "hostname", "ipconfig", "wmic") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify host information gathering commands.

1. Monitor for Enumeration of Installed Software

DeviceProcessEvents | where ProcessCommandLine has "wmic product get" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect enumeration of installed software on victim hosts.

1. Detect Querying of System Configuration

DeviceProcessEvents | where ProcessCommandLine has "msinfo32" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify attempts to query system configuration.

1. Identify Registry Enumeration

DeviceRegistryEvents | where ActionType == "RegistryQuery" | project Timestamp, DeviceName, RegistryKey, RegistryValueName

Purpose: Monitor for enumeration of the Windows registry.

1. Monitor for OS Version Enumeration

DeviceProcessEvents | where ProcessCommandLine has "ver" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect attempts to gather OS version information.

1. Detect Running Process Enumeration

DeviceProcessEvents | where ProcessCommandLine has "tasklist" or ProcessCommandLine has "pslist" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify enumeration of running processes on victim hosts.

1. Monitor for PowerShell Reconnaissance Commands

DeviceProcessEvents | where ProcessCommandLine has "Get-WmiObject" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect the use of PowerShell commands to gather host information.

1. Identify Enumeration of Active Network Connections

DeviceProcessEvents | where ProcessCommandLine has "netstat" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for enumeration of active network connections.

1. Detect Attempts to Query BIOS Information

DeviceProcessEvents | where ProcessCommandLine has "wmic bios" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify attempts to gather BIOS information.

1. Monitor for Enumeration of User Accounts

DeviceProcessEvents | where ProcessCommandLine has "net user" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect enumeration of user accounts on the host.

4. T1591 - Gather Victim Identity Information

Objective: Detect activities aimed at collecting information about user identities, such as account credentials, email addresses, and group memberships.

1. Detect Enumeration of Active Directory Users

DeviceProcessEvents | where ProcessCommandLine has "dsquery user" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify enumeration of Active Directory users.

1. Monitor for Group Membership Queries

DeviceProcessEvents | where ProcessCommandLine has "net group" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect attempts to enumerate group memberships.

1. Identify LDAP Queries for User Information

DeviceNetworkEvents | where RemotePort == 389 and ProcessCommandLine has "(&(objectCategory=person)(objectClass=user))" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for LDAP queries aimed at gathering user information.

1. Monitor for Attempts to Access Credential Stores

DeviceProcessEvents | where ProcessCommandLine has "rundll32.exe keymgr.dll,KRShowKeyMgr" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect attempts to access stored credentials.

1. Detect Enumeration of Domain Admin Accounts

DeviceProcessEvents | where ProcessCommandLine has "dsquery group -name \"Domain Admins\"" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify attempts to enumerate domain admin accounts.

1. Monitor for Access to Password Files

DeviceFileEvents | where FileName has_any ("password", "credentials") | project Timestamp, DeviceName, FileName, FolderPath

Purpose: Detect access to files that may contain passwords.

1. Detect Enumeration of Service Accounts

DeviceProcessEvents | where ProcessCommandLine has "dsquery user -name svc*" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify enumeration of service accounts.

1. Monitor for Attempts to Query Email Addresses

DeviceProcessEvents | where ProcessCommandLine has "dsquery user -email" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect attempts to gather email addresses from Active Directory.

1. Identify Enumeration of Privileged Accounts

DeviceProcessEvents | where ProcessCommandLine has_any ("net localgroup administrators", "net localgroup Remote Desktop Users") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for enumeration of privileged accounts.

1. Detect Attempts to Query Group Policy Information

DeviceProcessEvents | where ProcessCommandLine has "gpresult /R" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify attempts to query group policy information.

5. T1596 - Search Open Websites/Domains

Objective: Detect attempts to gather information about the target organization from public websites, domains, and other online resources.

1. Monitor for Access to Public Web Resources

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("linkedin.com", "github.com", "pastebin.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to public websites that may be used for reconnaissance.

1. Detect Searches for Company Information

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("company.com", "aboutus", "contactus") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for searches related to the target company.

1. Identify Access to Domain Registration Information

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "whois.domaintools.com" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect attempts to gather domain registration information.

1. Monitor for Public Code Repository Access

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("github.com", "gitlab.com", "bitbucket.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to public code repositories that may contain company information.

1. Detect Access to Online Forums and Paste Sites

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("reddit.com", "pastebin.com", "stackexchange.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor access to online forums and paste sites that may be used to gather information.

1. Identify Use of Search Engines for Reconnaissance

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("google.com", "bing.com", "duckduckgo.com") and QueryString has_any ("site:", "intitle:", "inurl:") | project Timestamp, DeviceName, URL, QueryString

Purpose: Detect search engine queries that may indicate reconnaissance.

1. Monitor for Access to Social Media Profiles

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("linkedin.com", "twitter.com", "facebook.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to social media profiles that may be used for gathering information about employees.

1. Detect Access to Online Employee Directories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "people.company.com" or URL has "employees.company.com" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to online employee directories.

1. Identify Access to Government Websites

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any (".gov", ".mil") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to government websites that may indicate reconnaissance on publicly available information.

1. Monitor for Access to Industry-Specific Websites

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("financial.com", "healthcare.com", "energy.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to industry-specific websites that may be used for reconnaissance.

6. T1593 - Search Open Technical Databases

Objective: Detect attempts to gather information about the target organization from public technical databases, such as vulnerability databases, code repositories, or security forums.

1. Monitor for Access to Vulnerability Databases

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("nvd.nist.gov", "cvedetails.com", "exploit-db.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to vulnerability databases.

1. Detect Searches for Specific CVEs

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where QueryString has "CVE-" and URL has_any ("nvd.nist.gov", "cvedetails.com") | project Timestamp, DeviceName, URL, QueryString

Purpose: Monitor for searches related to specific CVEs.

1. Identify Access to Public Code Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("github.com", "gitlab.com", "bitbucket.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to public code repositories that may contain exploitable code.

1. Monitor for Access to Security Forums

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("forum.exploit-db.com", "community.rapid7.com", "security.stackexchange.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to security forums that may be used for reconnaissance.

1. Detect Access to Online Penetration Testing Resources

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("offensive-security.com", "metasploit.com", "tools.kali.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to online resources used for penetration testing.

1. Identify Use of Search Engines for Technical Information

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("google.com", "bing.com", "duckduckgo.com") and QueryString has_any ("vulnerability", "exploit", "POC") | project Timestamp, DeviceName, URL, QueryString

Purpose: Detect search engine queries related to technical information.

1. Monitor for Access to Security Research Blogs

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("research.securiteam.com", "blogs.akamai.com", "blog.malwarebytes.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to security research blogs.

1. Detect Access to Public Malware Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("malshare.com", "virusshare.com", "kernelmode.info") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to public malware repositories.

1. Identify Access to Bug Bounty Platforms

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("hackerone.com", "bugcrowd.com", "intigriti.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to bug bounty platforms.

1. Monitor for Access to Open Vulnerability Scanners

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("nessus.org", "openvas.org", "nmap.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to open-source vulnerability scanners.

7. T1594 - Search Open Source Code Repositories

Objective: Detect attempts to gather information about the target organization from public source code repositories, such as GitHub, GitLab, or Bitbucket.

1. Monitor for Access to Public Code Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("github.com", "gitlab.com", "bitbucket.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to public code repositories.

1. Detect Searches for Company-Related Code

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where QueryString has_any ("companyname", "internalrepo", "secrets") | project Timestamp, DeviceName, URL, QueryString

Purpose: Monitor for searches related to the target company.

1. Identify Access to Forked Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "forks" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to forked repositories that may contain sensitive information.

1. Monitor for Cloning of Public Repositories

DeviceProcessEvents | where ProcessCommandLine has "git clone" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Identify attempts to clone public repositories.

1. Detect Access to Private Code Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "private" and URL has_any ("github.com", "gitlab.com", "bitbucket.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to private code repositories.

1. Identify Use of Search Engines to Locate Code Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where QueryString has "repo" and URL has_any ("google.com", "bing.com", "duckduckgo.com") | project Timestamp, DeviceName, URL, QueryString

Purpose: Detect search engine queries aimed at locating code repositories.

1. Monitor for Access to Public Code Snippets

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "gist.github.com" or URL has "pastebin.com" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to public code snippets that may contain sensitive information.

1. Detect Access to Publicly Shared Secrets

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("github.com", "gitlab.com") and QueryString has_any ("secret", "key", "password") | project Timestamp, DeviceName, URL, QueryString`

Purpose: Monitor for searches related to secrets in public repositories.

1. Identify Unauthorized Downloads of Source Code

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "download.zip" or URL has "download.tar.gz" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect unauthorized downloads of source code from public repositories.

1. Monitor for Access to Deprecated Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "archive" or URL has "deprecated" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to deprecated repositories that may still contain valuable information.

8. T1597 - Search Closed Sources

Objective: Detect attempts to gather information from closed sources, such as internal documentation, proprietary software, or private forums.

1. Monitor for Access to Internal Documentation Sites

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("wiki.company.com", "confluence.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to internal documentation that may contain sensitive information.

1. Detect Attempts to Access Proprietary Software

DeviceFileEvents | where FileName endswith ".exe" or FileName endswith ".dll" | where FilePath has_any ("C:\\Program Files\\CompanySoftware", "C:\\Users\\Public\\CompanySoftware") | project Timestamp, DeviceName, FileName, FilePath

Purpose: Monitor for attempts to access proprietary software.

1. Identify Access to Private Forums or Discussion Boards

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("forum.company.com", "discussions.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to private forums or discussion boards.

1. Monitor for Searches in Internal Knowledge Bases

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "knowledgebase.company.com" | project Timestamp, DeviceName, URL, QueryString

Purpose: Identify searches in internal knowledge bases that may indicate reconnaissance.

1. Detect Unauthorized Access to Internal Git Repositories

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "git.company.com" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for unauthorized access to internal Git repositories.

1. Identify Access to Internal Training Materials

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("training.company.com", "learning.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect access to internal training materials that may contain sensitive information.

1. Monitor for Attempts to Access Internal APIs

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has "api.company.com" | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify attempts to access internal APIs.

1. Detect Access to Internal Bug Tracking Systems

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("jira.company.com", "bugzilla.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to internal bug tracking systems.

1. Identify Unauthorized Access to HR Systems

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("hr.company.com", "payroll.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect unauthorized access to HR systems.

1. Monitor for Access to Internal Email Systems

    DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("mail.company.com", "exchange.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify access to internal email systems.

9. T1598 - Phishing for Information

Objective: Detect phishing attempts aimed at gathering information from users, such as credentials, financial information, or sensitive documents.

1. Monitor for Emails Containing Suspicious Links

DeviceEmailEvents | where EmailBody contains "http://" or EmailBody contains "https://" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

Purpose: Identify emails with links that could lead to phishing websites.

1. Detect Emails Containing Suspicious Attachments

DeviceEmailEvents | where EmailAttachmentFileName endswith ".exe" or EmailAttachmentFileName endswith ".js" | project Timestamp, EmailSenderAddress, EmailSubject, EmailAttachmentFileName

Purpose: Monitor for emails with suspicious attachments.

1. Identify Emails with Urgent Requests

DeviceEmailEvents | where EmailSubject contains "Urgent" or EmailBody contains "immediately" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

Purpose: Detect phishing emails using urgency to deceive users.

1. Monitor for Emails Spoofing Internal Addresses

DeviceEmailEvents | where SenderDomain == "internal.company.com" and SenderAddress not in ("trusted_email_list") | project Timestamp, EmailSenderAddress, EmailSubject

Purpose: Identify emails spoofing internal addresses.

1. Detect Phishing Emails Targeting Executives

DeviceEmailEvents | where EmailSubject contains "CEO" or EmailSubject contains "CFO" | project Timestamp, EmailSenderAddress, EmailSubject

Purpose: Monitor for phishing emails targeting executives.

1. Identify Emails Requesting Sensitive Information

DeviceEmailEvents | where EmailBody contains "password" or EmailBody contains "account number" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

Purpose: Detect emails requesting sensitive information.

1. Monitor for Emails with Suspicious Reply-To Addresses

DeviceEmailEvents | where EmailHeader contains "Reply-To" and EmailHeader contains "external_domain" | project Timestamp, EmailSenderAddress, EmailSubject, EmailHeader

Purpose: Identify emails with suspicious reply-to addresses.

1. Detect Phishing Emails with Suspicious Macros

DeviceEmailEvents | where EmailAttachmentFileName endswith ".docm" or EmailAttachmentFileName endswith ".xlsm" | project Timestamp, EmailSenderAddress, EmailSubject, EmailAttachmentFileName

Purpose: Monitor for phishing emails with attachments containing macros.

1. Identify Emails Containing Suspicious Content

DeviceEmailEvents | where EmailBody contains "<script>" or EmailBody contains "base64" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

Purpose: Detect phishing emails with suspicious content.

1. Monitor for Suspicious Email Activity Following a Phishing Attempt

IdentityLogonEvents | where LogonResult == "Failed" | summarize count() by TargetUserName, DeviceName, LogonTime | where count() > 5

Purpose: Identify suspicious login activity following a phishing attempt.

10. T1599 - Social Engineering

Objective: Detect attempts to manipulate or deceive users to gain information or access, such as through phone calls, messages, or in-person interactions.

1. Monitor for Unusual Outbound Communication

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("slack.com", "discord.com", "telegram.org") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify unusual outbound communication that may indicate social engineering.

1. Detect Unusual Volume of Emails Sent by a Single User

DeviceEmailEvents | summarize count() by SenderAddress | where count() > 100

Purpose: Monitor for users sending an unusually high volume of emails, possibly as part of a phishing campaign.

1. Identify Access to Social Media Sites

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("linkedin.com", "facebook.com", "twitter.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for access to social media sites that may be used for social engineering.

1. Monitor for Unauthorized External Phone Calls

DeviceNetworkEvents | where RemotePort == 5060 or RemotePort == 5061 | project Timestamp, DeviceName, RemoteIP, LocalPort

Purpose: Detect unauthorized phone calls made using VoIP.

1. Detect Unusual Text Messaging Activity

DeviceNetworkEvents | where RemotePort == 443 and URL has_any ("twilio.com", "messagebird.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Identify unusual text messaging activity that may indicate social engineering.

1. Monitor for Users Accessing Personal Email Accounts

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("gmail.com", "yahoo.com", "outlook.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Detect users accessing personal email accounts that may be targeted for social engineering.

1. Identify Attempts to Access HR Systems

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where URL has_any ("hr.company.com", "payroll.company.com") | project Timestamp, DeviceName, URL, RemoteIP

Purpose: Monitor for unauthorized attempts to access HR systems.

1. Detect Unauthorized Remote Access Attempts

IdentityLogonEvents | where LogonType == "RemoteInteractive" | summarize count() by TargetUserName, DeviceName, LogonTime

Purpose: Identify unauthorized remote access attempts that may indicate social engineering.

1. Monitor for Unusual Requests for Assistance

DeviceEmailEvents | where EmailSubject contains "help" or EmailBody contains "assistance" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

Purpose: Detect unusual requests for assistance that may be social engineering attempts.

1. Identify Attempts to Bypass Security Controls

DeviceProcessEvents | where ProcessCommandLine has_any ("disable", "bypass", "stop") | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Monitor for attempts to disable or bypass security controls, which may be related to social engineering.