Basic APT Reconnaissance Tools Detection with Domain Discovery Arguments
Introductory query for analysts learning threat hunting in CrowdStrike LogScale. Detects execution of classic APT reconnaissance tools (whoami, nltest, systeminfo) with specific domain and Active Directory discovery arguments, fundamental technique documented in APT TTP profiles.
EDRaptreconnaissancedomain-discoverybeginneractive-directoryT1082T1033T1016.001T1087.002
FDR Beginnerby darkreitor 2 min read
Query
#repo="base_sensor" #event_simpleName=ProcessRollup2
| FileName=/(?i)(whoami\.exe|nltest\.exe|systeminfo\.exe)/
| CommandLine=/(?i)(\/all|\/domain|\/dclist|\/trusted_domains|\/domain_trusts)/
| select([ComputerName, UserName, FileName, CommandLine, @timestamp])
| sort(field=@timestamp, order=desc)Explanation
| Pipe | Description | ||
|---|---|---|---|
#repo="base_sensor" #event_simpleName=ProcessRollup2 | Filters ProcessRollup2 events (process creation) in the CrowdStrike FDR base sensor repository | ||
| `FileName=/(?i)(whoami\.exe\ | nltest\.exe\ | systeminfo\.exe)/` | Looks for three native tools heavily used by APTs for initial Windows domain reconnaissance |
| `CommandLine=/(?i)(\/all\ | \/domain\ | ...)/` | Filters by specific arguments that reveal intent to enumerate the domain and AD trust relationships |
select([ComputerName, UserName, FileName, CommandLine, @timestamp]) | Selects only the most relevant fields for the analyst — host, user, tool, command, and timestamp | ||
sort(field=@timestamp, order=desc) | Sorts by timestamp in descending order to see the most recent events first and make triage easier |
Adjustable Variables
To detect any execution of these tools (not only with domain arguments), remove the second CommandLine filter. Add | UserName!="SYSTEM" to exclude operating system activity. Change the timeframe in the dashboard to 7d for historical search.