Home >
Enterprise >
Participants >
FireEye >
File and Directory Discovery (T1083)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.1
|
Tactic Discovery (TA0007) |
|
||||
5.B.4
![]() |
Tactic Discovery (TA0007) |
|
||||
7.C.2
|
Tactic Discovery (TA0007) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.1
|
Tactic Discovery (TA0007) |
|
||||
4.C.1
|
Tactic Discovery (TA0007) |
|
||||
9.B.2
|
Tactic Discovery (TA0007) |
|
||||
11.A.9
|
Tactic Discovery (TA0007) |
|
||||
12.A.1
|
Tactic Discovery (TA0007) |
|
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
8.A.1
|
Tactic Discovery (TA0007) |
|
||||
8.A.2
|
Tactic Discovery (TA0007) |
|
||||
9.A.1
|
Tactic Discovery (TA0007) |
|
||||
12.E.1.4.1
|
Tactic Discovery (TA0007) |
|
||||
12.E.1.4.2
|
Tactic Discovery (TA0007) |
|
||||
16.K.1
|
Tactic Discovery (TA0007) |
|
||||
18.A.1
|
Tactic Discovery (TA0007) |
|
Procedure
Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)