detection.wiki

Gather Victim Network Information T1590

Tactic: Reconnaissance

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Events covered

13 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 22DNSEvent (DNS query)
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-AuditingEvent ID 5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5158The Windows Filtering Platform has permitted a bind to a local port.
Security-AuditingEvent ID 5159The Windows Filtering Platform has blocked a bind to a local port.
DNS-Server-ServiceEvent ID 6004The DNS server received a zone transfer request from param1 for a non-existent or non-authoritative zone param2.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 17 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (25 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID4eq 422, 4104
QueryName4in 3, contains 1, eq 1*api.ip.sb, *api.ipify.org, *b.barracudacentral.org, *alibabacloud*, *aliyun*
sourcetype3eq 3cisco:asa, cisco:ios, cisco:nvm:flowdata
Image2ends_with 2, eq 1, starts_with 1\brave.exe, \crassus.exe, \maxthon.exe, \msedge.exe
command2contains 1, in 1show access-list*, show capture*, show conn*, suspiciouscommands
process_name2eq 2dnscmd.exe, wermgr.exe
unique_recon_commands2ge 24, 7
CommadCount1ge 18
CommandLine1contains 1 /enumrecords
DNSQueryCount1gt 110
Description1contains 1crassus
NetworkDirection1eq 1Inbound
OriginalFileName1eq 1crassus.exe
ScriptBlockText1in 1*get-clipboardtext*, *returnhotfixid*, *start-aclcheck*
aws::userAgent1starts_with 1aws-cli

Top indicator values (222 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
22
316
EventIDeq
4104
1268
QueryNamein
*api.ip.sb
22
QueryNamein
*api.ipify.org
22
QueryNamein
*b.barracudacentral.org
22
QueryNamein
*cbl.abuseat.org
22
QueryNamein
*dnsbl-1.uceprotect.net
22
QueryNamein
*icanhazip.com
22
QueryNamein
*ip.anysrc.com
22
QueryNamein
*ipecho.net
22
QueryNamein
*ipinfo.io
22
QueryNamein
*spam.dnsbl.sorbs.net
22
QueryNamein
*wtfismyip.com
22
QueryNamein
*zen.spamhaus.org
22
QueryNamein
ident.me
22
QueryNamein
www.myexternalip.com
22
CommadCountge
8
1
CommandLinecontains
/enumrecords
1
DNSQueryCountgt
10
1
Descriptioncontains
crassus
1
Imageends_with
\brave.exe
111
Imageends_with
\crassus.exe
1
Imageends_with
\maxthon.exe
13
Imageends_with
\msedge.exe
114
Imageends_with
\msedgewebview2.exe
13
Imageends_with
\opera.exe
111
Imageends_with
\safari.exe
12
Imageends_with
\seamonkey.exe
13
Imageends_with
\vivaldi.exe
111
Imageends_with
\whale.exe
13

Exclusions (39 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
DNSQueryCountgt
10
1
Imageends_with
\brave.exe
1
Imageends_with
\maxthon.exe
1
Imageends_with
\msedge.exe
1
Imageends_with
\msedgewebview2.exe
1
Imageends_with
\opera.exe
1
Imageends_with
\safari.exe
1
Imageends_with
\seamonkey.exe
1
Imageends_with
\vivaldi.exe
1
Imageends_with
\whale.exe
1
Imageends_with
\windowsapps\microsoftedge.exe
1
Imageeq
c:\program files (x86)\google\chrome\application\chrome.exe
1
Imageeq
c:\program files (x86)\internet explorer\iexplore.exe
1
Imageeq
c:\program files (x86)\microsoft\edge\application\msedge.exe
1
Imageeq
c:\program files (x86)\mozilla firefox\firefox.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules

Elastic 1 rule

Splunk 8 rules

Kusto 4 rules