Home  >  APT29  >  Results  >  Elastic  >  Discovery

Tactic Results: Discovery (TA0007) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
System Network Configuration Discovery
(T1016)
Enumerated the current domain name using PowerShell
powershell.exe executing $env:USERDOMAIN
4.C.4
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERDOMAIN. The event was correlated to a parent General detection for malicious file execution. [1]
Checked that the computer is joined to a domain using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
11.A.7
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed powershell.exe gwmi query for Win32_ComputerSystem. [1]
Enumerated the domain name using the NetWkstaGetInfo API
powershell.exe executing the NetWkstaGetInfo API
13.B.1
Telemetry (Correlated)
Telemetry showed PowerShell calling the NetWkstaGetInfo API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Query Registry
(T1012)
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
12.C.1
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Enumerated installed software via the Registry (Uninstall key) using PowerShell
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
12.C.2
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Process Discovery
(T1057)
Enumerated current running processes using PowerShell
powershell.exe executing Get-Process
4.B.1
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for malicious file execution. [1]
Enumerated the current process ID using PowerShell
powershell.exe executing $PID
4.C.5
Telemetry (Correlated)
Telemetry showed powershell.exe executing $PID. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
powershell.exe executing Get-Process
8.A.3
Telemetry (Correlated)
Telemetry showed wsmprovhost.exe executing Get-Process. The event was correlated to a parent General detection for malicious file execution. [1]
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_Process
11.A.8
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. [1]
Enumerated running processes using the CreateToolhelp32Snapshot API
powershell.exe executing the CreateToolhelp32Snapshot API
13.D.1
Telemetry (Correlated)
Telemetry showed PowerShell calling the CreateToolhelp32Snapshot API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Enumerated and tracked PowerShell processes using PowerShell
powershell.exe executing Get-Process
14.B.2
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "Process Discovery via WMI" was generated for PowerShell executing Get-Process. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent alert for a suspicious Windows script. [1]
System Owner/User Discovery
(T1033)
Enumerated the current username using PowerShell
powershell.exe executing $env:USERNAME
4.C.2
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERNAME. The event was correlated to a parent General detection for malicious file execution. [1]
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
11.A.6
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
Enumerated the current username using the GetUserNameEx API
powershell.exe executing the GetUserNameEx API
13.C.1
Telemetry (Correlated)
Telemetry showed PowerShell executing the GetUserNameEx API. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Enumerated logged on users using PowerShell
powershell.exe executing $env:UserName
15.A.1
Telemetry (Correlated)
Telemetry showed PowerShell script block executing $env:UserName. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
powershell.exe executing the ConvertSidToStringSid API
16.B.1
Telemetry (Correlated)
Telemetry showed PowerShell executing the ConvertSidToStringSid API function. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Permission Groups Discovery
(T1069)
Enumerated user's domain group membership via the NetUserGetGroups API
powershell.exe executing the NetUserGetGroups API
4.C.9
Telemetry (Correlated)
Telemetry showed powershell.exe executing Invoke-NetUserGetGroups. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated user's local group membership via the NetUserGetLocalGroups API
powershell.exe executing the NetUserGetLocalGroups API
4.C.11
Telemetry (Correlated)
Telemetry showed powershell.exe executing Invoke-NetUserGetLocalGroups. The event was correlated to a parent General detection for malicious file execution. [1]
Remote System Discovery
(T1018)
Enumerated remote systems using LDAP queries
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
8.A.1
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. The detection was correlated to a parent alert for malicious file execution. [1]
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
16.A.1
Telemetry (Correlated)
Telemetry showed PowerShell executing the Get-NetDomainController cmdlet then subsequently making a network connection to the domain controller NewYork (10.0.0.4) over TCP port 389. The detection was correlated to a parent alert for a suspicious Windows script. [1] [2] [3]
System Information Discovery
(T1082)
Enumerated the computer hostname using PowerShell
powershell.exe executing $env:COMPUTERNAME
4.C.3
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated the OS version using PowerShell
powershell.exe executing​ Gwmi Win32_OperatingSystem
4.C.6
Technique (Correlated, Alert)
A Technique detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi Win32_OperatingSystem. The event was correlated to a parent General detection for malicious file execution. [1] [2]
Enumerated computer manufacturer, model, and version information using PowerShell
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
11.A.4
Technique
A Technique detection for "ATT&CK T1082 System Info Discovery" was generated for powershell.exe querying Win32_ComputerSystem and Win32_BIOS. [1]
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1] [2]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1] [2]
Enumerated the computer name using the GetComputerNameEx API
powershell.exe executing the GetComputerNameEx API
13.A.1
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetComputerNameEx API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Virtualization/Sandbox Evasion
(T1497)
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_BIOS
11.A.3
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. [1]
File and Directory Discovery
(T1083)
Searched filesystem for document and media files using PowerShell 
powershell.exe executing (Get-)ChildItem
2.A.1
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated user's temporary directory path using PowerShell
powershell.exe executing $env:TEMP
4.C.1
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:TEMP. The event was correlated to a parent General detection for malicious file execution. [1]
Searched filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem​
9.B.2
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
11.A.9
Telemetry
Telemetry showed PowerShell executing Get-Item for the current path. [1]
Enumerated the System32 directory using PowerShell
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
12.A.1
General (Correlated, Alert)
A General alert detection for "Stealthy PowerShell Commands" (medium severity) was generated for PowerShell executing the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe enumerating System32. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Security Software Discovery
(T1063)
Enumerated anti-virus software using PowerShell
powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
4.C.7
Tactic (Correlated, Alert)
A Tactic detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi WmiObject ...​ -Class AntiVirusProduct. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
4.C.8
Tactic (Correlated, Alert)
A Tactic detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi WmiObject ...​ -Class FireWallProduct. The event was correlated to a parent General detection for malicious file execution. [1]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
12.B.1
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique detection (medium severity) for "ATT&CK T1063 Security Software Discovery" was generated due to PowerShell executing the detectav function. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed PowerShell gwmi query for AntiVirusProduct. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Peripheral Device Discovery
(T1120)
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
11.A.5
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. [1]