Home >
Enterprise >
Participants >
GoSecure >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||
6.A.3
|
|
|||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.4
|
|
|||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||
13.A.8
|
|
|||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||
15.A.7
|
|
|||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||
20.B.2
|
Technique Process Discovery (T1057) |
|
Criteria
powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4
Criteria
User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||
4.C.4
|
|
|||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||
11.A.7
|
|
|||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||
13.B.1
|
|
|||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated the computer name using the GetComputerNameEx API
Criteria
powershell.exe executing the GetComputerNameEx API
Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
APT3 |
||||
Step | ATT&CK Pattern |
|
||
2.A.1
|
|
|||
2.A.2
|
|
|||
2.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||
2.C.1
|
Technique Process Discovery (T1057) |
|
||
2.C.2
|
Technique Process Discovery (T1057) |
|
||
2.D.1
|
Technique System Service Discovery (T1007) |
|
||
2.D.2
|
Technique System Service Discovery (T1007) |
|
||
2.E.1
|
Technique System Information Discovery (T1082) |
|
||
2.E.2
|
Technique System Information Discovery (T1082) |
|
||
2.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||
2.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||
2.F.3
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||
2.G.1
|
|
|||
2.G.2
|
|
|||
2.H.1
|
Technique Query Registry (T1012) |
|
||
3.B.1
|
Technique Process Discovery (T1057) |
|
||
4.A.1
|
Technique Remote System Discovery (T1018) |
|
||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||
4.B.1
|
|
|||
4.C.1
|
|
|||
6.A.1
|
Technique Query Registry (T1012) |
|
||
7.A.1.3
|
|
|||
8.A.1
|
Technique File and Directory Discovery (T1083) |
|
||
8.A.2
|
Technique File and Directory Discovery (T1083) |
|
||
8.B.1
|
Technique Process Discovery (T1057) |
|
||
8.C.1.2
|
Technique Application Window Discovery (T1010) |
|
||
8.D.1.1
|
Technique Screen Capture (T1113) |
|
||
9.A.1
|
Technique File and Directory Discovery (T1083) |
|
||
12.A.1
|
|
|||
12.A.2
|
|
|||
12.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||
12.C.1
|
Technique Process Discovery (T1057) |
|
||
12.D.1
|
Technique System Service Discovery (T1007) |
|
||
12.E.1.1
|
Technique System Owner/User Discovery (T1033) |
|
||
12.E.1.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||
12.E.1.3
|
Technique Password Policy Discovery (T1201) |
|
||
12.E.1.4.1
|
Technique File and Directory Discovery (T1083) |
|
||
12.E.1.4.2
|
Technique File and Directory Discovery (T1083) |
|
||
12.E.1.6.1
|
Technique System Information Discovery (T1082) |
|
||
12.E.1.6.2
|
Technique System Information Discovery (T1082) |
|
||
12.E.1.7
|
Technique Query Registry (T1012) |
|
||
12.E.1.8
|
Technique System Service Discovery (T1007) |
|
||
12.E.1.9.1
|
Technique Network Share Discovery (T1135) |
|
||
12.E.1.9.2
|
Technique Network Share Discovery (T1135) |
|
||
12.E.1.10.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||
12.E.1.10.2
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||
12.E.1.11
|
|
|||
12.E.1.12
|
|
|||
12.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||
12.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||
12.G.1
|
|
|||
12.G.2
|
|
|||
13.A.1
|
Technique Remote System Discovery (T1018) |
|
||
13.B.1
|
|
|||
13.B.2
|
|
|||
13.C.1
|
Technique Query Registry (T1012) |
|
||
15.A.1.2
|
Technique Application Window Discovery (T1010) |
|
||
16.H.1
|
Technique System Service Discovery (T1007) |
|
||
16.J.1
|
Technique System Service Discovery (T1007) |
|
||
16.K.1
|
Technique File and Directory Discovery (T1083) |
|
||
17.A.1.1
|
Technique System Service Discovery (T1007) |
|
||
17.A.1.2
|
Technique Query Registry (T1012) |
|
||
18.A.1
|
Technique File and Directory Discovery (T1083) |
|
||
20.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: WinEnum module included enumeration of user information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of password policy information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of recently opened files
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of interesting files
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of system information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of Windows update information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of system information via a Registry query
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of services
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of available shares
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of mapped network drives
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of AV solutions
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of firewall rules
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of network adapters
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of established network connections
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in keylogging module included residual enumeration of application windows
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
Footnotes
- The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.


Procedure
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
Footnotes
- The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.


Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.

