Home >
Enterprise >
Participants >
Cybereason >
Query Registry (T1012)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.4
|
Tactic Discovery (TA0007) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
12.C.1
|
Tactic Discovery (TA0007) |
|
||
12.C.2
|
Tactic Discovery (TA0007) |
|
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
APT3 |
||||
Step | ATT&CK Pattern |
|
||
2.H.1
|
Tactic Discovery (TA0007) |
|
||
6.A.1
|
Tactic Discovery (TA0007) |
|
||
12.E.1.7
|
Tactic Discovery (TA0007) |
|
||
13.C.1
|
Tactic Discovery (TA0007) |
|
||
17.A.1.2
|
Tactic Discovery (TA0007) |
|