Home >
Enterprise >
Participants >
GoSecure >
System Owner/User Discovery (T1033)
|
|
Carbanak+FIN7 |
||||
Step | ATT&CK Pattern |
|
||
7.B.1
|
Tactic Discovery (TA0007) |
|
||
13.A.5
|
Tactic Discovery (TA0007) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
4.C.2
|
Tactic Discovery (TA0007) |
|
||
11.A.6
|
Tactic Discovery (TA0007) |
|
||
13.C.1
|
Tactic Discovery (TA0007) |
|
||
15.A.1
|
Tactic Discovery (TA0007) |
|
||
16.B.1
|
Tactic Discovery (TA0007) |
|
Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
APT3 |
||||
Step | ATT&CK Pattern |
|
||
2.B.1
|
Tactic Discovery (TA0007) |
|
||
12.B.1
|
Tactic Discovery (TA0007) |
|
||
12.E.1.1
|
Tactic Discovery (TA0007) |
|
||
20.B.1
|
Tactic Discovery (TA0007) |
|
Procedure
Empire: WinEnum module included enumeration of user information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.

