Detection rules › Splunk
Common Reconnaissance Commands (Sysmon)
These are reconnaissance commands that are most commonly used by attackers in order to collect information after gaining a access to the machine
MITRE ATT&CK coverage
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '1035.1044'
title: Common Reconnaissance Commands
description: 'These are reconnaissance commands that are most commonly used by attackers
in order to collect information after gaining a access to the machine. -- Threat
Actor Association: AbcBot, Alloy Taurus/Gallium, Andariel, APT27/Emissary Panda,
APT28 (aka.Fancy Bear, Fighting Ursa, Forest Blizzard, Pawn Storm, TA422, STRONTIUM),
APT29/Nobelium/Cozy Bear, APT33, APT35/Phosphorus/Magic Hound, APT36, APT43, Carbanak,
FamousSparrow, FIN6, FIN7, FIN8, FIN12, FIN13, Gorgon Group, Kimsuky, MuddyWater,
OilRig, SaintBear (aka UAC-0056, UNC2589, TA471), TA428, TA2541, TRAVELING SPIDER,
UAC-0056, Volt Typhoon (Bronze Silhouette, Vanguard Panda), Winter Vivern, Wizard
Spider -- Software Association: AvosLocker, BadHatch, Bazarloader, BianLian, Black
Basta, Blackcat/ALPHV, Clop, Conti, Cyclops Blink, Emotet, GhostShell, Hancitor,
Havex, IcedID, Insekt, Lockbit, NanoCore, Nefilim, PowerShortShell, Prometheus /
Spook, PYSA/Mespinoza, QakBot, Remcos, Ryuk, Snatch, Sodinokibi/REvil, Trickbot,
Vice Society, XingLocker -- Atomics T1007 Test#1 Atomics T1007 Test#2 Atomics T1016
Test#1 Atomics T1016 Test#2 Atomics T1016 Test#3 Atomics T1016 Test#4 Atomics T1016
Test#7 Atomics T1018 Test#1 Atomics T1018 Test#2 Atomics T1018 Test#3 Atomics T1018
Test#5 Atomics T1018 Test#6 Atomics T1018 Test#8 Atomics T1518.001 Test#1 Atomics
T1571 Test#1 Atomics T1033 Test #1 Atomics T1087.001 Test #4 Atomics T1087.001 Test
#5 Atomics T1087.001 Test #6 Atomics T1087.001 Test #7 Atomics T1087.001 Test #8
Atomics T1087.001 Test #9 Atomics T1087.001 Test #10 Atomics T1201 Test #5 Atomics
T1201 Test #6'
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_sysmon` EventCode=1 ( "whoami.exe"
OR "systeminfo.exe" OR "HOSTNAME.EXE" OR "ipconfig.exe" OR "route.exe" OR "arp.exe"
OR "netstat.exe" OR "netsh.exe" OR "tasklist.exe" OR "driverquery.exe" OR "qprocess.exe"
OR "query.exe" OR "nslookup.exe" OR "tracert.exe" OR "net.exe" OR "cmdkey.exe")
| where match(parent_process_name,"(?i)(powershell\.exe)|(cmd\.exe)") AND (match(process,"(?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(ipconfig)|(route)|(arp)|(cmdkey))($|\s)")
OR match(process,"(?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery)|(qprocess)|(nslookup))($|\s)")
OR match(process,"(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(config)|(share)|(use)|(user)|(view))))($|\s)"))
| table _time, host, user process, process_*, parent_process, parent_process_* |
bin span=60s | stats values(*) as * by _time, host,user | streamstats dc(process_name)
as dc_process_name by _time, host | where dc_process_name>2 `hec_collect`'
techniques:
- discovery:system owner/user discovery
- execution:command and scripting interpreter
- discovery:account discovery:local account
- discovery:process discovery
- discovery:system information discovery
- discovery:system service discovery
- execution:command and scripting interpreter:unix shell
- execution:command and scripting interpreter:windows command shell
technique_id:
- T1033
- T1059
- T1087.001
- T1057
- T1082
- T1007
- T1059.003
- T1059.004
data_category:
- Windows Sysmon
references:
- https://capec.mitre.org/data/definitions/577.html
- https://www.programmersought.com/article/71384528057/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` EventCode=1 ( "whoami.exe" OR "systeminfo.exe" OR "HOSTNAME.EXE" OR "ipconfig.exe" OR "route.exe" OR "arp.exe" OR "netstat.exe" OR "netsh.exe" OR "tasklist.exe" OR "driverquery.exe" OR "qprocess.exe" OR "query.exe" OR "nslookup.exe" OR "tracert.exe" OR "net.exe" OR "cmdkey.exe")
Stage 2: where
| where match(parent_process_name,"(?i)(powershell\.exe)|(cmd\.exe)") AND (match(process,"(?i)((whoami)|(dir)|(hostname)|(hostname)|(systeminfo)|(ipconfig)|(route)|(arp)|(cmdkey))($|\s)") OR match(process,"(?i)((netstat)|(netsh)|(schtasks)|(tasklist)|(driverquery)|(qprocess)|(nslookup))($|\s)") OR match(process,"(?i)((tracert)|(query)|(net\s+((localgroup)|(group)|(config)|(share)|(use)|(user)|(view))))($|\s)"))
Stage 3: table
| table _time, host, user process, process_*, parent_process, parent_process_*
Stage 4: bucket
| bin span=60s
Stage 5: stats
| stats values(*) as * by _time, host,user
Stage 6: streamstats
| streamstats dc(process_name) as dc_process_name by _time, host
Stage 7: where
| where dc_process_name>2 `hec_collect`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
dc_process_name | gt |
|
parent_process_name | match |
|
process | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "whoami.exe" |
| 1 | "systeminfo.exe" |
| 1 | "HOSTNAME.EXE" |
| 1 | "ipconfig.exe" |
| 1 | "route.exe" |
| 1 | "arp.exe" |
| 1 | "netstat.exe" |
| 1 | "netsh.exe" |
| 1 | "tasklist.exe" |
| 1 | "driverquery.exe" |
| 1 | "qprocess.exe" |
| 1 | "query.exe" |
| 1 | "nslookup.exe" |
| 1 | "tracert.exe" |
| 1 | "net.exe" |
| 1 | "cmdkey.exe" |