APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.1
|
|
|
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over port 389.
[1]
|
|
16.A.1
|
|
|
An MSSP detection contained evidence of System.DirectoryServices.ni.dll loaded into PowerShell, which can be used to execute LDAP queries.
[1]
|
|
Enumerated remote systems using LDAP queries
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
[1]
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
[1]