Home >
Enterprise >
Participants >
CrowdStrike >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
6.A.3
|
|
|||||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.4
|
|
|||||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.8
|
|
|||||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||||
15.A.7
|
|
|||||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||
4.C.4
|
|
|||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||
11.A.7
|
|
|||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||
13.B.1
|
|
|||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
Procedure
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_Process
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
2.A.1
|
|
|||||||||
2.A.2
|
|
|||||||||
2.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
2.C.1
|
Technique Process Discovery (T1057) |
|
||||||||
2.C.2
|
Technique Process Discovery (T1057) |
|
||||||||
2.D.1
|
Technique System Service Discovery (T1007) |
|
||||||||
2.D.2
|
Technique System Service Discovery (T1007) |
|
||||||||
2.E.1
|
Technique System Information Discovery (T1082) |
|
||||||||
2.E.2
|
Technique System Information Discovery (T1082) |
|
||||||||
2.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||||
2.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||||
2.F.3
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||||
2.G.1
|
|
|||||||||
2.G.2
|
|
|||||||||
2.H.1
|
Technique Query Registry (T1012) |
|
||||||||
3.B.1
|
Technique Process Discovery (T1057) |
|
||||||||
4.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||||
4.B.1
|
|
|||||||||
4.C.1
|
|
|||||||||
6.A.1
|
Technique Query Registry (T1012) |
|
||||||||
7.A.1.3
|
|
|||||||||
8.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
8.A.2
|
Technique File and Directory Discovery (T1083) |
|
||||||||
8.B.1
|
Technique Process Discovery (T1057) |
|
||||||||
8.C.1.2
|
Technique Application Window Discovery (T1010) |
|
||||||||
8.D.1.1
|
Technique Screen Capture (T1113) |
|
||||||||
9.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
12.A.1
|
|
|||||||||
12.A.2
|
|
|||||||||
12.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
12.C.1
|
Technique Process Discovery (T1057) |
|
||||||||
12.D.1
|
Technique System Service Discovery (T1007) |
|
||||||||
12.E.1.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
12.E.1.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||||
12.E.1.3
|
Technique Password Policy Discovery (T1201) |
|
||||||||
12.E.1.4.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
12.E.1.4.2
|
Technique File and Directory Discovery (T1083) |
|
||||||||
12.E.1.6.1
|
Technique System Information Discovery (T1082) |
|
||||||||
12.E.1.6.2
|
Technique System Information Discovery (T1082) |
|
||||||||
12.E.1.7
|
Technique Query Registry (T1012) |
|
||||||||
12.E.1.8
|
Technique System Service Discovery (T1007) |
|
||||||||
12.E.1.9.1
|
Technique Network Share Discovery (T1135) |
|
||||||||
12.E.1.9.2
|
Technique Network Share Discovery (T1135) |
|
||||||||
12.E.1.10.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||||
12.E.1.10.2
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||||
12.E.1.11
|
|
|||||||||
12.E.1.12
|
|
|||||||||
12.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||||
12.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||||
12.G.1
|
|
|||||||||
12.G.2
|
|
|||||||||
13.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||||
13.B.1
|
|
|||||||||
13.B.2
|
|
|||||||||
13.C.1
|
Technique Query Registry (T1012) |
|
||||||||
15.A.1.2
|
Technique Application Window Discovery (T1010) |
|
||||||||
16.H.1
|
Technique System Service Discovery (T1007) |
|
||||||||
16.J.1
|
Technique System Service Discovery (T1007) |
|
||||||||
16.K.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
17.A.1.1
|
Technique System Service Discovery (T1007) |
|
||||||||
17.A.1.2
|
Technique Query Registry (T1012) |
|
||||||||
18.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
20.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


[2]


[3]


[4]


Procedure
Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


[2]


[3]


[4]


Procedure
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


Procedure
Cobalt Strike: 'netstat -ano' via cmd
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'whoami -all -fo list' via PowerShell
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


Procedure
Empire: 'qprocess *' via PowerShell
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)