Home >
Enterprise >
Participants >
HanSight >
Discovery (TA0007)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||
4.C.4
|
|
|||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||
11.A.7
|
|
|||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||
13.B.1
|
|
|||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_Process
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll