Home >
Enterprise >
Participants >
SentinelOne >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
6.A.3
|
|
|||||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.4
|
|
|||||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.8
|
|
|||||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||||
15.A.7
|
|
|||||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||||
4.C.4
|
|
|||||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
11.A.7
|
|
|||||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||||
13.B.1
|
|
|||||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated the current process ID using PowerShell
Criteria
powershell.exe executing $PID
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- A UX Configuration Change was made to bring PowerShell script block logs into the user interface.


Procedure
Enumerated registered AV products using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- A UX Configuration Change was made to bring PowerShell script block logs into the user interface.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
|
|||||
2.A.2
|
|
|||||
2.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
2.C.1
|
Technique Process Discovery (T1057) |
|
||||
2.C.2
|
Technique Process Discovery (T1057) |
|
||||
2.D.1
|
Technique System Service Discovery (T1007) |
|
||||
2.D.2
|
Technique System Service Discovery (T1007) |
|
||||
2.E.1
|
Technique System Information Discovery (T1082) |
|
||||
2.E.2
|
Technique System Information Discovery (T1082) |
|
||||
2.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
2.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
2.F.3
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
2.G.1
|
|
|||||
2.G.2
|
|
|||||
2.H.1
|
Technique Query Registry (T1012) |
|
||||
3.B.1
|
Technique Process Discovery (T1057) |
|
||||
4.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
4.B.1
|
|
|||||
4.C.1
|
|
|||||
6.A.1
|
Technique Query Registry (T1012) |
|
||||
7.A.1.3
|
|
|||||
8.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
8.A.2
|
Technique File and Directory Discovery (T1083) |
|
||||
8.B.1
|
Technique Process Discovery (T1057) |
|
||||
8.C.1.2
|
Technique Application Window Discovery (T1010) |
|
||||
8.D.1.1
|
Technique Screen Capture (T1113) |
|
||||
9.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.1
|
|
|||||
12.A.2
|
|
|||||
12.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
12.C.1
|
Technique Process Discovery (T1057) |
|
||||
12.D.1
|
Technique System Service Discovery (T1007) |
|
||||
12.E.1.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
12.E.1.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
12.E.1.3
|
Technique Password Policy Discovery (T1201) |
|
||||
12.E.1.4.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.E.1.4.2
|
Technique File and Directory Discovery (T1083) |
|
||||
12.E.1.6.1
|
Technique System Information Discovery (T1082) |
|
||||
12.E.1.6.2
|
Technique System Information Discovery (T1082) |
|
||||
12.E.1.7
|
Technique Query Registry (T1012) |
|
||||
12.E.1.8
|
Technique System Service Discovery (T1007) |
|
||||
12.E.1.9.1
|
Technique Network Share Discovery (T1135) |
|
||||
12.E.1.9.2
|
Technique Network Share Discovery (T1135) |
|
||||
12.E.1.10.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.E.1.10.2
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.E.1.11
|
|
|||||
12.E.1.12
|
|
|||||
12.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
12.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
12.G.1
|
|
|||||
12.G.2
|
|
|||||
13.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
13.B.1
|
|
|||||
13.B.2
|
|
|||||
13.C.1
|
Technique Query Registry (T1012) |
|
||||
15.A.1.2
|
Technique Application Window Discovery (T1010) |
|
||||
16.H.1
|
Technique System Service Discovery (T1007) |
|
||||
16.J.1
|
Technique System Service Discovery (T1007) |
|
||||
16.K.1
|
Technique File and Directory Discovery (T1083) |
|
||||
17.A.1.1
|
Technique System Service Discovery (T1007) |
|
||||
17.A.1.2
|
Technique Query Registry (T1012) |
|
||||
18.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
20.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Procedure
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Footnotes
- MITRE verified telemetry was generated for the remote update.vbs file access event, but no screenshot was available.
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)