Home >
Enterprise >
Participants >
FireEye >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
6.A.3
|
|
|||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.4
|
|
|||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||
13.A.8
|
|
|||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||
15.A.7
|
|
|||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.4
|
|
|||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||
11.A.7
|
|
|||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||
13.B.1
|
|
|||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
|
|||||
2.A.2
|
|
|||||
2.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
2.C.1
|
Technique Process Discovery (T1057) |
|
||||
2.C.2
|
Technique Process Discovery (T1057) |
|
||||
2.D.1
|
Technique System Service Discovery (T1007) |
|
||||
2.D.2
|
Technique System Service Discovery (T1007) |
|
||||
2.E.1
|
Technique System Information Discovery (T1082) |
|
||||
2.E.2
|
Technique System Information Discovery (T1082) |
|
||||
2.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
2.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
2.F.3
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
2.G.1
|
|
|||||
2.G.2
|
|
|||||
2.H.1
|
Technique Query Registry (T1012) |
|
||||
3.B.1
|
Technique Process Discovery (T1057) |
|
||||
4.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
4.B.1
|
|
|||||
4.C.1
|
|
|||||
6.A.1
|
Technique Query Registry (T1012) |
|
||||
7.A.1.3
|
|
|||||
8.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
8.A.2
|
Technique File and Directory Discovery (T1083) |
|
||||
8.B.1
|
Technique Process Discovery (T1057) |
|
||||
8.C.1.2
|
Technique Application Window Discovery (T1010) |
|
||||
8.D.1.1
|
Technique Screen Capture (T1113) |
|
||||
9.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.1
|
|
|||||
12.A.2
|
|
|||||
12.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
12.C.1
|
Technique Process Discovery (T1057) |
|
||||
12.D.1
|
Technique System Service Discovery (T1007) |
|
||||
12.E.1.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
12.E.1.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
12.E.1.3
|
Technique Password Policy Discovery (T1201) |
|
||||
12.E.1.4.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.E.1.4.2
|
Technique File and Directory Discovery (T1083) |
|
||||
12.E.1.6.1
|
Technique System Information Discovery (T1082) |
|
||||
12.E.1.6.2
|
Technique System Information Discovery (T1082) |
|
||||
12.E.1.7
|
Technique Query Registry (T1012) |
|
||||
12.E.1.8
|
Technique System Service Discovery (T1007) |
|
||||
12.E.1.9.1
|
Technique Network Share Discovery (T1135) |
|
||||
12.E.1.9.2
|
Technique Network Share Discovery (T1135) |
|
||||
12.E.1.10.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.E.1.10.2
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.E.1.11
|
|
|||||
12.E.1.12
|
|
|||||
12.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
12.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
12.G.1
|
|
|||||
12.G.2
|
|
|||||
13.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
13.B.1
|
|
|||||
13.B.2
|
|
|||||
13.C.1
|
Technique Query Registry (T1012) |
|
||||
15.A.1.2
|
Technique Application Window Discovery (T1010) |
|
||||
16.H.1
|
Technique System Service Discovery (T1007) |
|
||||
16.J.1
|
Technique System Service Discovery (T1007) |
|
||||
16.K.1
|
Technique File and Directory Discovery (T1083) |
|
||||
17.A.1.1
|
Technique System Service Discovery (T1007) |
|
||||
17.A.1.2
|
Technique Query Registry (T1012) |
|
||||
18.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
20.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Cobalt Strike: 'ipconfig -all' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net config workstation' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net localgroup administrators' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net user -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net user george -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]


Procedure
Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'whoami -all -fo list' via PowerShell
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: WinEnum module included enumeration of established network connections
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'Net Localgroup Administrators' via PowerShell
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'net group \"Domain Computers\" -domain' via PowerShell
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire:'reg query' via PowerShell to enumerate a specific Registry key
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)