Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
A General alert detection (red indicator) was generated for suspicious fileless execution not originating from PowerShell.
[1]
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "Remote Services" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Tactic
(Correlated, Alert)
|
A Tactic alert detection called "Remote powershell activity" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
|
A Technique alert detection (red indicator) was generated for "Powershell or WinRM remoting activity" based on wsmprovhost.exe.
[1]
|
|
16.C.1
|
|
|
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent alert for bypassing UAC with sdclt.exe.
[1]
|
|
A Technique alert detection (red indicator) was generated on NewYork (10.0.0.4) for a remote PowerShell session based on the identification of the WinRM process (wsmprovhost.exe).
[1]
|
Tactic
(Correlated, Alert)
|
A Tactic alert detection (yellow indicator) was generated for powershell.exe accessing the network. The detection was correlated to a parent alert for bypassing UAC with sdclt.exe.
[1]
|
|
20.B.2
|
|
|
An MSSP detection occurred containing evidence of PowerShell create a WinRM session to remote host Scranton (10.0.1.4).
[1]
|
|
Telemetry showed PowerShell executing the Enter-PSSession cmdlet to open a network connection to the remote host Scranton (10.0.1.4). The detection was correlated to a parent alert for Windows Management Instrumentation.
[1]
[2]
|
|
A Technique alert detection (red indicator) called "Powershell or WinRM remoting activity" was generated for a powershell WinRM session on the remote host Scranton (10.0.1.4).
[1]
|
|
A Tactic alert detection (red indicator) called for remote PowerShell activity was generated for a PowerShell WinRM session.
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
APT3
|
The subtechnique was not in scope.
|