Discovery

T1049 - System Network Connections Discovery

This module uses the CreateProcess Win32 API to execute

netstat.exee

net.exe use

net.exe sessions

T1033 - System Owner/User Discovery

This module uses the CreateProcess Win32 API to execute

whoami.exe

query user

T1007 - System Service Discovery

This module uses the CreateProcess Win32 API to execute

net.exe start

tasklist.exe /svc

T1087.002 - Account Discovery: Domain Account

Variation 1

This module uses the Sytem.DirectoryServices .NET NameSpace to query a domain environment using LDAP.

Variation 2

This module uses the CreatePRocess Win32 API to execute:

net.exe user /domain

T1046 - Network Service Scanning

This module uses the System.Net.Sockets .NET namespace to scan ports on remote endpoints randomly picked using LDAP.

T1087.001 - Account Discovery: Local Account

This module uses the CreateProcess Win32 API to execute

net.exe user

T1016 - System Network Configuration Discovery

This module uses the CreateProcess Win32 API to execute

ipconfig.exe /all”

T1083 - File and Directory Discovery

This module uses the CreateProcess Win32 API to execute

dir.exe c:>> %temp%download

dir.exe C:Users>> %temp%download

T1135 - Network Share Discovery

This module uses the NetShareEnum Win32 API function to enumerate shared on remote endpoints randomly picked using LDAP.