Reconnaissance

Modification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.

An unidentified threat actor used Claude AI to identify and target a vNode SCADA/IIoT management interface at a Mexican water utility between December 2025 and February 2026, ultimately failing to gain access.

An AWS principal rapidly enumerates S3 bucket posture using read-only APIs, indicative of reconnaissance, scanning, or post-compromise activity.

An AWS principal rapidly enumerates S3 bucket configurations using read-only APIs, potentially indicating reconnaissance activity by security scanners, CSPM tools, or malicious actors performing post-compromise enumeration.

The OpenCanary Telnet Login Attempt detection identifies unauthorized login attempts to a Telnet service monitored by an OpenCanary node, indicating potential reconnaissance or intrusion attempts targeting the network.

An SSH connection attempt to an OpenCanary node indicates a potential adversary probing for vulnerable services or attempting unauthorized access within a network.

This rule identifies potentially unsecured Elasticsearch nodes that lack TLS and/or authentication and are accepting inbound network connections, which could allow adversaries to gain initial access, exfiltrate data, or disrupt services.

Adversaries may perform reconnaissance in a Kubernetes environment by rapidly querying multiple resource types to map the environment and identify potential privilege escalation paths.

Attackers use PowerShell to query the Windows registry's Uninstall key to discover installed software and identify potential vulnerabilities for exploitation.

The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.

Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.

Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.

An unsigned or untrusted binary on macOS is performing DNS requests for IP lookup services to determine the system's external IP address, which is commonly used by malware for reconnaissance before establishing C2 connections.

The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.