GitHub Repo

Reconnaissance Detections

Name Data Source Technique Type Analytic Story Date
Windows Gather Victim Identity SAM Info Sysmon EventID 7 T1589.001 Hunting Brute Ratel C4 2026-05-13
Recon Using WMI Class Powershell Script Block Logging 4104 T1059.001 T1592 Anomaly Qakbot, Axios Supply Chain Post Compromise, AsyncRAT, VIP Keylogger, Malicious Inno Setup Loader, Data Destruction, MoonPeak, Malicious PowerShell, Quasar RAT, LockBit Ransomware, Hermetic Wiper, Industroyer2, Scattered Spider, BlankGrabber Stealer 2026-05-13
Cisco NVM - Suspicious Network Connection to IP Lookup Service API Cisco Network Visibility Module Flow Data T1016 T1590.005 Anomaly BlankGrabber Stealer, Cisco Network Visibility Module Analytics, Castle RAT 2026-05-13
System Info Gathering Using Dxdiag Application Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1592 Hunting Remcos 2026-05-13
Recon AVProduct Through Pwh or WMI Powershell Script Block Logging 4104 T1592 TTP Qakbot, Ransomware, XWorm, Windows Post-Exploitation, Data Destruction, MoonPeak, Malicious PowerShell, Quasar RAT, Prestige Ransomware, Hermetic Wiper 2026-05-13
WMI Recon Running Process Or Services Powershell Script Block Logging 4104 T1592 Anomaly Data Destruction, Malicious PowerShell, Hermetic Wiper 2026-05-13
Kerberos User Enumeration Windows Event Log Security 4768 T1589.002 Anomaly Active Directory Kerberos Attacks 2026-05-13
Windows Gather Victim Host Information Camera Powershell Script Block Logging 4104 T1592.001 Anomaly DarkCrystal RAT 2026-05-13
Windows DNS Gather Network Info Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1590.002 Anomaly Sandworm Tools, Volt Typhoon 2026-05-13
Windows Detect Network Scanner Behavior Sysmon EventID 3 T1595.001 T1595.002 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Attacker Tools On Endpoint Cisco Network Visibility Module Flow Data, Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1003 T1036.005 T1595 TTP CISA AA22-264A, Compromised Windows Host, Cisco Network Visibility Module Analytics, XMRig, SamSam Ransomware, Scattered Spider, Unusual Processes, PHP-CGI RCE Attack on Japanese Organizations 2026-05-13
Windows Netspy Network Scanner Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1018 T1595 Anomaly Windows Discovery Techniques, Network Discovery 2026-05-13
Windows WinPEAS PowerShell Script Execution Powershell Script Block Logging 4104 T1007 T1016 T1033 T1082 T1590 T1592.002 T1592.004 T1615 TTP Windows Post-Exploitation 2026-05-13
Local LLM Framework DNS Query Sysmon EventID 22 T1590 Hunting Suspicious Local LLM Frameworks 2026-05-13
Linux Medusa Rootkit Sysmon for Linux EventID 11 T1014 T1589.001 TTP Medusa Rootkit, VoidLink Cloud-Native Linux Malware, Hellcat Ransomware, China-Nexus Threat Activity 2026-05-13
Windows RDP File Execution Windows Event Log Security 4688, Sysmon EventID 1, CrowdStrike ProcessRollup2 T1021.001 T1598.002 TTP Windows RDP Artifacts and Defense Evasion, Spearphishing Attachments, Interlock Ransomware 2026-05-13
HTTP Rapid POST with Mixed Status Codes Nginx Access T1071.001 T1190 T1595 Anomaly HTTP Request Smuggling 2026-05-13
Cisco ASA - Reconnaissance Command Activity Cisco ASA Logs T1082 T1590.001 T1590.005 Anomaly Suspicious Cisco Adaptive Security Appliance Activity 2026-05-13
Ollama Possible API Endpoint Scan Reconnaissance Ollama Server T1595 Anomaly Suspicious Ollama Activities 2026-05-13
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 T1590.005 Anomaly Water Gamayun, Snake Keylogger, Meduza Stealer, Castle RAT, Handala Wiper, VIP Keylogger, PXA Stealer, Void Manticore, 0bj3ctivity Stealer, Quasar RAT, Azorult, Phemedrone Stealer, DarkCrystal RAT, BlankGrabber Stealer 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13