RSS Feed

🤔 How Do I Check For Reconnaisance Activity?

Created: 24.06.2023


Event logs

Monitoring for these events will cause a lot of noise and false positives. You need to do it in a smart way:

  1. Filter for sensitive groups
  2. Whitelist those processes performing such activity legitimately: mmc.exe, services.exe, taskhost.exe, explorer.exe, vsssvc.exe. Presume everything else to be unusual.
  3. What accounts are NOT supposed to do recon?
  4. What group was queried? Administrators group (or other groups with higher privileges) is the most desirable piece of the pie.

4798 - user’s local group membership enum. 4799 - security-enabled local group membership enum.

Group Policy -> Advanced Auditing setting to set up Audit Security Group Management and User Account Management.

🛠️ PowerSploit and 🛠️ Empire both use PowerView cmdlet set to perform recon activity for the Windows environment. 🛠️ DeathStar from 🛠️ Empire is a wrapper around it.


Expand… Something here