Network Reconnaissance Activity

About the rule

Rule Type

Standard

Rule Description

Network reconnaissance activity involves attempts by attackers to discover information about a target network's topology, services, devices, and vulnerabilities before launching an attack. Common reconnaissance techniques include network scanning, host discovery, port scanning, and enumeration of open services or protocols. This rule is designed to detect anomalous and potentially malicious reconnaissance actions such as unsolicited network scans, repeated probing for open ports, sweeps across multiple hosts, or use of suspicious scanning tools that may indicate pre-attack surveillance, enumeration, or threat actor presence within the environment.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Reconnaissance → Weaponization/Delivery → Command and Control → Impact

Impact

• Discovery of network weaknesses
• Increased risk of subsequent attacks
• Data gathering for exploitation
• Potential service disruption through scanning

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Discovery: Account Discovery (T1087),"Discovery: System Information Discovery (T1082)"

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of suspicious or unauthorized network discovery and scanning behavior. This enables you to monitor for early signs of attack preparation, review network traffic patterns, and quickly identify potential threat actors performing reconnaissance, supporting strong detection and timely defensive response.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Legitimate network management or vulnerability scanning tools used by IT teams for approved maintenance, inventory, or security assessment activities can also trigger this rule. Validate the source, timing, and intent of flagged scans to distinguish between authorized and malicious reconnaissance.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update network monitoring, improve segmentation, and refine detection thresholds to reduce future risk and false positives.

Mitigation