Home >
Enterprise >
Participants >
Cybereason >
Remote System Discovery (T1018)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.2
|
Tactic Discovery (TA0007) |
|
||||
5.B.7
![]() |
Tactic Discovery (TA0007) |
|
||||
6.A.2
|
Tactic Discovery (TA0007) |
|
||||
15.A.8
|
Tactic Discovery (TA0007) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
8.A.1
|
Tactic Discovery (TA0007) |
|
||
16.A.1
|
Tactic Discovery (TA0007) |
|
Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.1
|
Tactic Discovery (TA0007) |
|
||||
4.A.2
|
Tactic Discovery (TA0007) |
|
||||
13.A.1
|
Tactic Discovery (TA0007) |
|
Procedure
Empire: 'net group \"Domain Computers\" -domain' via PowerShell
Footnotes
- For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]

