Home >
Enterprise >
Participants >
CyCraft >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
6.A.3
|
|
|||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.4
|
|
|||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||
13.A.8
|
|
|||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||
15.A.7
|
|
|||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.4
|
|
|||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||
11.A.7
|
|
|||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||
13.B.1
|
|
|||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated user's temporary directory path using PowerShell
Criteria
powershell.exe executing $env:TEMP
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current username using PowerShell
Criteria
powershell.exe executing $env:USERNAME
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the computer hostname using PowerShell
Criteria
powershell.exe executing $env:COMPUTERNAME
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current domain name using PowerShell
Criteria
powershell.exe executing $env:USERDOMAIN
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current process ID using PowerShell
Criteria
powershell.exe executing $PID
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.

