Stage 2: Internal Reconnaissance

Stage 2 of the cyberattack lifecycle: Internal Reconnaissance. After gaining initial access, the attacker silently maps your internal network — identifying systems, users, services, and high-value targets before making their next move.

Attacker Goal

Understand the internal network layout, identify high-value targets, and plan the path to objectives without triggering alerts.

MITRE ATT&CK Techniques

T1046T1083T1087T1135T1018T1069

Stage Description

After gaining initial access, the attacker silently maps your internal network — identifying systems, users, services, and high-value targets before making their next move.

Common Entry Vectors

• Network scanning to discover live hosts and open ports
• File share enumeration to find accessible data
• User account discovery to identify privileged accounts
• Service discovery to map internal applications
• Domain and Active Directory enumeration

Typical Attacker Actions

• Scans internal network for live systems and services
• Enumerates file shares and sensitive directories
• Identifies administrator and service accounts
• Maps Active Directory structure and trust relationships
• Searches for password files, config files, and credentials

What Purim NetGo Delivers at This Stage

• Instant Detection — catch reconnaissance before it becomes an attack
• Network Visibility — see exactly what the attacker is mapping
• Identity Intelligence — know which device is scanning
• Zero False Positives — only real attackers touch decoys
• Behavioral Profiling — build a complete attacker profile