APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.1
|
|
|
Telemetry showed powershell.exe establishing a connection identified as LDAP over TCP port 389 to NewYork (10.0.0.4).
[1]
[2]
[3]
|
|
16.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Enumerated remote systems using LDAP queries
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
[1]
[2]
[3]
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll