Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.1
|
|
|
An MSSP detection for "T1097" occurred containing evidence of Invoke-Mimikatz (kerberos::golden) usage along with Token Manipulation indicator.
[1]
|
General
(Alert, Correlated)
|
A General alert detection for "TokenPrivAdd" under "Privilege Escalation/Defense Evation {T1134} " was generated when Invoke-Mimikatz (kerberos::golden) to create and inject ticket into current session was executed. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
APT3
|
The subtechnique was not in scope.
|