Home >
Enterprise >
Participants >
Elastic >
Discovery (TA0007)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique System Information Discovery (T1082) |
|
||||||
2.A.4
|
Technique Process Discovery (T1057) |
|
||||||
3.B.4
|
Technique Query Registry (T1012) |
|
||||||
4.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
5.B.3
![]() |
Technique Process Discovery (T1057) |
|
||||||
5.B.4
![]() |
Technique File and Directory Discovery (T1083) |
|
||||||
5.B.7
![]() |
Technique Remote System Discovery (T1018) |
|
||||||
6.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
6.A.3
|
|
|||||||
7.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
7.C.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.4
|
|
|||||||
12.A.5
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.1
|
Technique Process Discovery (T1057) |
|
||||||
13.A.3
|
Technique Network Share Discovery (T1135) |
|
||||||
13.A.5
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.A.6
|
Technique System Information Discovery (T1082) |
|
||||||
13.A.8
|
|
|||||||
13.A.9
|
Technique System Information Discovery (T1082) |
|
||||||
15.A.1
|
Technique Process Discovery (T1057) |
|
||||||
15.A.7
|
|
|||||||
15.A.8
|
Technique Remote System Discovery (T1018) |
|
||||||
20.B.2
|
Technique Process Discovery (T1057) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.C.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
4.C.2
|
Technique System Owner/User Discovery (T1033) |
|
||||||
4.C.3
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.4
|
|
|||||||
4.C.5
|
Technique Process Discovery (T1057) |
|
||||||
4.C.6
|
Technique System Information Discovery (T1082) |
|
||||||
4.C.7
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.8
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
4.C.9
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
4.C.11
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
8.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
8.A.3
|
Technique Process Discovery (T1057) |
|
||||||
9.B.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
11.A.4
|
Technique System Information Discovery (T1082) |
|
||||||
11.A.5
|
Technique Peripheral Device Discovery (T1120) |
|
||||||
11.A.6
|
Technique System Owner/User Discovery (T1033) |
|
||||||
11.A.7
|
|
|||||||
11.A.8
|
Technique Process Discovery (T1057) |
|
||||||
11.A.9
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.B.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.C.1
|
Technique Query Registry (T1012) |
|
||||||
12.C.2
|
Technique Query Registry (T1012) |
|
||||||
13.A.1
|
Technique System Information Discovery (T1082) |
|
||||||
13.B.1
|
|
|||||||
13.C.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
13.D.1
|
Technique Process Discovery (T1057) |
|
||||||
14.B.2
|
Technique Process Discovery (T1057) |
|
||||||
15.A.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
16.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
16.B.1
|
Technique System Owner/User Discovery (T1033) |
|
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.1
|
|
|||||||
2.A.2
|
|
|||||||
2.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
2.C.1
|
Technique Process Discovery (T1057) |
|
||||||
2.C.2
|
Technique Process Discovery (T1057) |
|
||||||
2.D.1
|
Technique System Service Discovery (T1007) |
|
||||||
2.D.2
|
Technique System Service Discovery (T1007) |
|
||||||
2.E.1
|
Technique System Information Discovery (T1082) |
|
||||||
2.E.2
|
Technique System Information Discovery (T1082) |
|
||||||
2.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
2.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
2.F.3
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
2.G.1
|
|
|||||||
2.G.2
|
|
|||||||
2.H.1
|
Technique Query Registry (T1012) |
|
||||||
3.B.1
|
Technique Process Discovery (T1057) |
|
||||||
4.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
4.A.2
|
Technique Remote System Discovery (T1018) |
|
||||||
4.B.1
|
|
|||||||
4.C.1
|
|
|||||||
6.A.1
|
Technique Query Registry (T1012) |
|
||||||
7.A.1.3
|
|
|||||||
8.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
8.A.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
8.B.1
|
Technique Process Discovery (T1057) |
|
||||||
8.C.1.2
|
Technique Application Window Discovery (T1010) |
|
||||||
8.D.1.1
|
Technique Screen Capture (T1113) |
|
||||||
9.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.A.1
|
|
|||||||
12.A.2
|
|
|||||||
12.B.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
12.C.1
|
Technique Process Discovery (T1057) |
|
||||||
12.D.1
|
Technique System Service Discovery (T1007) |
|
||||||
12.E.1.1
|
Technique System Owner/User Discovery (T1033) |
|
||||||
12.E.1.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
12.E.1.3
|
Technique Password Policy Discovery (T1201) |
|
||||||
12.E.1.4.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.E.1.4.2
|
Technique File and Directory Discovery (T1083) |
|
||||||
12.E.1.6.1
|
Technique System Information Discovery (T1082) |
|
||||||
12.E.1.6.2
|
Technique System Information Discovery (T1082) |
|
||||||
12.E.1.7
|
Technique Query Registry (T1012) |
|
||||||
12.E.1.8
|
Technique System Service Discovery (T1007) |
|
||||||
12.E.1.9.1
|
Technique Network Share Discovery (T1135) |
|
||||||
12.E.1.9.2
|
Technique Network Share Discovery (T1135) |
|
||||||
12.E.1.10.1
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.E.1.10.2
|
Technique Software Discovery (T1518) Subtechnique Software Discovery: Security Software Discovery (T1518.001) |
|
||||||
12.E.1.11
|
|
|||||||
12.E.1.12
|
|
|||||||
12.F.1
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Domain Groups (T1069.002) |
|
||||||
12.F.2
|
Technique Permission Groups Discovery (T1069) Subtechnique Permission Groups Discovery: Local Groups (T1069.001) |
|
||||||
12.G.1
|
|
|||||||
12.G.2
|
|
|||||||
13.A.1
|
Technique Remote System Discovery (T1018) |
|
||||||
13.B.1
|
|
|||||||
13.B.2
|
|
|||||||
13.C.1
|
Technique Query Registry (T1012) |
|
||||||
15.A.1.2
|
Technique Application Window Discovery (T1010) |
|
||||||
16.H.1
|
Technique System Service Discovery (T1007) |
|
||||||
16.J.1
|
Technique System Service Discovery (T1007) |
|
||||||
16.K.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
17.A.1.1
|
Technique System Service Discovery (T1007) |
|
||||||
17.A.1.2
|
Technique Query Registry (T1012) |
|
||||||
18.A.1
|
Technique File and Directory Discovery (T1083) |
|
||||||
20.B.1
|
Technique System Owner/User Discovery (T1033) |
|
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: WinEnum module included enumeration of Windows update information
Footnotes
- Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Procedure
Empire: WinEnum module included enumeration of established network connections
Footnotes
- Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


[3]


Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)