Home >
Enterprise >
Participants >
Trend Micro >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
6.A.3
|
|
|||||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.4
|
|
|||||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.8
|
|
|||||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||||
15.A.7
|
|
|||||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.4
|
|
|||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||
11.A.7
|
|
|||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||
13.B.1
|
|
|||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Footnotes
- The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.


Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria
powershell.exe executing the ConvertSidToStringSid API
Footnotes
- The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.

