Home >
Enterprise >
Participants >
Symantec >
Remote System Discovery (T1018)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.2
|
Tactic Discovery (TA0007) |
|
||||
5.B.7
![]() |
Tactic Discovery (TA0007) |
|
||||
6.A.2
|
Tactic Discovery (TA0007) |
|
||||
15.A.8
|
Tactic Discovery (TA0007) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
8.A.1
|
Tactic Discovery (TA0007) |
|
||||
16.A.1
|
Tactic Discovery (TA0007) |
|
Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


[2]

