Home >
Enterprise >
Participants >
Bitdefender >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||||||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||||||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||||||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||||||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||||||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||||||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||||||
6.A.3
|
|
|||||||||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||||||||
12.A.4
|
|
|||||||||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||||||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||||||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||||||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||||||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||||||||
13.A.8
|
|
|||||||||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||||||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||||||||
15.A.7
|
|
|||||||||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||||||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.4
|
|
|||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||
11.A.7
|
|
|||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||
13.B.1
|
|
|||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated user's temporary directory path using PowerShell
Criteria
powershell.exe executing $env:TEMP
Procedure
Enumerated the current username using PowerShell
Criteria
powershell.exe executing $env:USERNAME
Procedure
Enumerated the computer hostname using PowerShell
Criteria
powershell.exe executing $env:COMPUTERNAME
Procedure
Enumerated the current domain name using PowerShell
Criteria
powershell.exe executing $env:USERDOMAIN
Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_Process
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated registered AV products using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated the computer name using the GetComputerNameEx API
Criteria
powershell.exe executing the GetComputerNameEx API
Procedure
Enumerated the current username using the GetUserNameEx API
Criteria
powershell.exe executing the GetUserNameEx API
Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Procedure
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria
powershell.exe executing the ConvertSidToStringSid API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.

