Reconnaissance Discovery
Introduction
PowerShell is a versatile and powerful scripting language and automation tool widely used in security operations (SecOps) to manage and secure enterprise networks. Its deep integration with the Windows operating system and expansive library of cmdlets make it indispensable for conducting reconnaissance, discovery, digital forensics, and incident response (DFIR) activities. With its ability to query, analyse, and automate tasks at scale, PowerShell is an essential tool for SecOps teams tasked with protecting enterprise environments from evolving cyber threats.
Capabilities of PowerShell for Reconnaissance Discovery
1. Reconnaissance in Enterprise Networks:
Network Mapping: PowerShell cmdlets like
Test-Connection,Resolve-DnsName, andGet-NetRoutehelp enumerate hosts, identify active devices, and map network topology.Service Enumeration: With tools like
Get-ServiceandGet-NetTCPConnection, PowerShell enables analysts to identify running services and open ports, providing insights into potential attack surfaces.User and Group Recon: Commands such as
Get-ADUserandGet-ADGroupallow enumeration of Active Directory objects, helping security teams understand account structures and privileges.
2. Discovery of Threats and Anomalies:
File and Process Analysis: Use
Get-ProcessandGet-Itemto identify suspicious processes, files, or directories, focusing on anomalies like unsigned executables or hidden files.Network Activity Monitoring: PowerShell scripts can analyse live network traffic, connections, and listening ports using cmdlets like
Get-NetTCPConnectionand custom parsing of logs.System Event Logs: Cmdlets such as
Get-WinEventandGet-EventLogenable comprehensive log analysis for detecting indicators of compromise (IOCs) or anomalous behaviour.
3. Digital Forensics and Incident Response (DFIR):
Memory Forensics: PowerShell facilitates memory dumps using
Get-Processand tools likeProcdump, providing forensic data for malware or threat analysis.Artifact Collection: PowerShell can automate the collection of forensic artifacts, such as registry hives, logs, and file metadata, with commands like
Export-CsvandCopy-Item.Persistence Analysis: Scripts can analyse autorun locations (e.g., registry keys, scheduled tasks) to uncover persistence mechanisms used by attackers.
Lateral Movement Detection: Using
Get-WinEventand network-related cmdlets, PowerShell helps detect evidence of lateral movement, such as suspicious logons or credential use.
Efficiency Provided by PowerShell in SecOps
Scalability: PowerShell’s ability to execute commands across multiple systems simultaneously using PowerShell Remoting or scripting reduces the time required for reconnaissance, discovery, and remediation tasks.
Automation: With its robust scripting capabilities, PowerShell enables the automation of repetitive DFIR activities, such as log collection, IOC searches, and artifact analysis, freeing up SecOps resources for more strategic tasks.
Real-Time Insights: PowerShell provides near-instant access to system and network data, enabling faster detection and response to threats in dynamic environments.
Customisation: The flexibility of PowerShell allows analysts to write custom scripts tailored to specific enterprise environments and threat scenarios, improving detection and investigation accuracy.
Integration with Security Tools: PowerShell integrates seamlessly with tools like Microsoft Defender, Azure Sentinel, and SIEM platforms, allowing security teams to orchestrate responses and analyse data in a unified manner.
By leveraging PowerShell’s capabilities, SecOps teams can perform effective reconnaissance, threat discovery, and incident response activities across enterprise networks with unmatched precision and efficiency, significantly improving their ability to detect, analyse, and mitigate security incidents.
Reconnaissance Discovery
1. Network Scanning and Enumeration
1.1. Detect Network Scanning Activities
Purpose: Identify potential network scanning activities by monitoring for unusual network connections.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen' -and $_.RemoteAddress -ne '0.0.0.0'} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort1.2. Identify Unusual ARP Table Entries
Purpose: Detect new or unusual ARP entries that may indicate scanning or network discovery.
Get-NetNeighbor | Where-Object {$_.State -eq 'Reachable' -and $_.AddressFamily -eq 'IPv4'} | Select-Object ifIndex, IPAddress, LinkLayerAddress2. System Information Gathering
2.1. Enumeration of Installed Applications
Purpose: Detect enumeration of installed applications, which may indicate software inventory reconnaissance.
Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate2.2. Listing Running Processes
Purpose: Identify unauthorised listing of running processes, which may indicate system reconnaissance.
Get-Process | Select-Object Id, ProcessName, StartTime3. User and Account Information Discovery
3.1. List Local User Accounts
Purpose: Detect enumeration of local user accounts.
Get-LocalUser | Select-Object Name, Enabled, LastLogon3.2. Active Directory User Enumeration
Purpose: Identify enumeration of Active Directory users, which may indicate domain reconnaissance.
Get-ADUser -Filter * -Property DisplayName, Title, Department | Select-Object DisplayName, Title, Department4. Group and Permission Enumeration
4.1. List Local Groups and Memberships
Purpose: Detect enumeration of local groups and their memberships.
Get-LocalGroup | ForEach-Object { [PSCustomObject]@{ GroupName = $_.Name Members = (Get-LocalGroupMember -Group $_.Name | Select-Object -ExpandProperty Name) -join ", " } }4.2. Active Directory Group Enumeration
Purpose: Identify enumeration of Active Directory groups, which may indicate privilege reconnaissance.
Get-ADGroup -Filter * -Property Members | Select-Object Name, @{n='Members';e={$_.Members -join ", "}}5. Network Configuration and Interface Enumeration
5.1. List Network Interfaces
Purpose: Detect enumeration of network interfaces, potentially indicating network reconnaissance.
Get-NetAdapter | Select-Object Name, InterfaceDescription, Status, MACAddress5.2. Get IP Configuration Details
Purpose: Identify gathering of IP configuration details.
Get-NetIPAddress | Select-Object InterfaceAlias, IPAddress, PrefixLength6. Service and Port Enumeration
6.1. List Listening Ports
Purpose: Detect enumeration of listening ports, which may indicate open port scanning.
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort6.2. Identify Running Services
Purpose: Detect enumeration of running services, potentially indicating service reconnaissance.
Get-Service | Select-Object Name, DisplayName, Status, StartType7. File and Directory Enumeration
7.1. List Files in Sensitive Directories
Purpose: Identify enumeration of files in sensitive directories.
Get-ChildItem -Path "C:\SensitiveData\" -Recurse | Select-Object FullName, LastWriteTime7.2. Detect Access to Administrative Shares
Purpose: Detect access or enumeration of administrative shares.
Get-WmiObject -Query "SELECT * FROM Win32_Share WHERE Type=0" | Select-Object Name, Path8. Logon Session and Security Group Enumeration
8.1. List Active Logon Sessions
Purpose: Detect enumeration of active logon sessions.
Get-Process -IncludeUserName | Where-Object { $_.UserName } | Select-Object ProcessName, UserName, StartTime8.2. Enumerate Security Groups of Logged-on Users
Purpose: Identify enumeration of security groups for logged-on users.
Get-WmiObject -Class Win32_ComputerSystem | Select-Object DomainRole, Name, PartOfDomain9. Registry and System Configuration Discovery
9.1. List Auto-Start Programs
Purpose: Detect enumeration of auto-start programs.
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, *9.2. Identify Registry Key Enumeration
Purpose: Detect enumeration of registry keys related to system configuration.
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services" | Select-Object PSChildName, Start, Type10. Scheduled Task and Job Discovery
10.1. List Scheduled Tasks
Purpose: Detect enumeration of scheduled tasks.
Get-ScheduledTask | Select-Object TaskName, LastRunTime, TaskPath10.2. Enumerate Windows Jobs
Purpose: Identify enumeration of Windows jobs.
Get-WmiObject -Class Win32_ScheduledJob | Select-Object Name, JobId, JobStatusAdditional Discovery Techniques
1. Network Scanning and Discovery
1.1. Detecting Network Scanning Attempts
Purpose: Identify attempts to scan the network for open ports and services.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5156} | Where-Object {($_.Properties[19].Value -match "Allowed") -and ($_.Properties[7].Value -ne "System")} | Select-Object TimeCreated, @{n='SourceIP';e={$_.Properties[18].Value}}, @{n='DestinationIP';e={$_.Properties[2].Value}}1.2. Monitoring for ARP Scanning
Purpose: Detect ARP scanning attempts, which can reveal network topology.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=104} | Where-Object {$_.Message -match "ARP"} | Select-Object TimeCreated, @{n='SourceIP';e={$_.Properties[0].Value}}, @{n='DestinationIP';e={$_.Properties[1].Value}}2. DNS and Directory Service Enumeration
2.1. Detecting DNS Zone Transfer Attempts
Purpose: Identify attempts to perform DNS zone transfers, which can reveal domain information.
Get-WinEvent -LogName "Microsoft-Windows-DNS-Server/Audit" | Where-Object {$_.Message -match "AXFR"} | Select-Object TimeCreated, @{n='Query';e={$_.Message}}2.2. Monitoring LDAP Enumeration
Purpose: Detect LDAP queries that may indicate enumeration of Active Directory objects.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Message -match "LDAP"} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[5].Value}}, @{n='AccountName';e={$_.Properties[1].Value}}3. User and Account Enumeration
3.1. Detecting User Enumeration via SMB
Purpose: Identify attempts to enumerate user accounts over SMB.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Where-Object {$_.Properties[19].Value -eq "0xc0000064"} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}3.2. Monitoring for Kerberos Enumeration
Purpose: Detect enumeration of Kerberos accounts, which may reveal service accounts and SPNs.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Properties[8].Value -eq "0x0"} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[5].Value}}4. Service and System Discovery
4.1. Detecting Windows Management Instrumentation (WMI) Queries
Purpose: Identify the use of WMI to query system information.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; ID=5857} | Where-Object {$_.Message -match "SELECT"} | Select-Object TimeCreated, @{n='Query';e={$_.Message}}4.2. Monitoring Remote System Discovery via RDP
Purpose: Detect the use of RDP to explore remote systems.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[10].Value -eq '10'} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}5. File and Directory Enumeration
5.1. Detecting Enumeration of File Shares
Purpose: Monitor for attempts to enumerate network file shares.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} | Where-Object {$_.Properties[6].Value -match 'Share Enumeration'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}5.2. Monitoring Access to Sensitive Directories
Purpose: Detect access attempts to sensitive directories or files.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Properties[6].Value -match 'C:\SensitiveData'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}6. Network and Firewall Configuration Enumeration
6.1. Detecting Attempts to Query Firewall Rules
Purpose: Identify attempts to enumerate firewall rules.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4703} | Select-Object TimeCreated, @{n='RuleName';e={$_.Properties[6].Value}}6.2. Monitoring for Changes in Network Configuration
Purpose: Detect changes in network configurations that may indicate reconnaissance.
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name Interfaces7. Operating System and Application Enumeration
7.1. Detecting OS Version and Installed Software Enumeration
Purpose: Monitor for attempts to enumerate OS versions and installed applications.
Get-WmiObject -Class Win32_OperatingSystem | Select-Object Version, BuildNumber Get-WmiObject -Class Win32_Product | Select-Object Name, Version7.2. Monitoring for Enumeration of Installed Patches
Purpose: Detect enumeration of installed patches and hotfixes, which can indicate vulnerability assessment.
Get-HotFix | Select-Object Description, HotFixID, InstalledOn8. Cloud and Virtual Environment Discovery
8.1. Detecting Enumeration of Cloud Resources
Purpose: Identify attempts to enumerate cloud resources and configurations.
Get-WinEvent -LogName "Microsoft-Windows-Security-Auditing" | Where-Object {$_.Message -match "cloud"} | Select-Object TimeCreated, @{n='Details';e={$_.Message}}8.2. Monitoring for Enumeration of Virtual Machines
Purpose: Detect enumeration of virtual machines and their configurations.
Get-WmiObject -Namespace "root\virtualization\v2" -Class Msvm_ComputerSystem | Select-Object ElementName, OperationalStatus9. Service and Process Enumeration
9.1. Detecting Enumeration of Running Processes
Purpose: Monitor for attempts to list running processes on a system.
Get-Process | Select-Object Id, ProcessName, StartTime9.2. Monitoring for Service Status Queries
Purpose: Detect queries for the status of services running on a system.
Get-Service | Select-Object Name, DisplayName, Status10. Anomalous Network Behaviour
10.1. Detecting Network Traffic Anomalies
Purpose: Identify unusual network traffic patterns that may indicate reconnaissance.
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort10.2. Monitoring for Use of Network Analysis Tools
Purpose: Detect the use of network analysis tools like Nmap, Nessus, etc.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[5].Value -match 'nmap|nessus'} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}Last updated