Home >
Enterprise >
Participants >
GoSecure >
Command and Scripting Interpreter (T1059)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.3
|
|
|||||||
1.A.7
|
|
|||||||
1.A.8
|
|
|||||||
1.A.9
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||
2.B.2
|
|
|||||||
2.B.3
|
|
|||||||
3.A.1
|
|
|||||||
3.B.2
|
|
|||||||
3.B.3
|
|
|||||||
4.B.3
|
|
|||||||
4.B.6
|
|
|||||||
5.A.6
|
|
|||||||
5.C.5
|
|
|||||||
6.A.1
|
|
|||||||
7.A.2
|
|
|||||||
8.A.1
|
|
|||||||
11.A.4
|
|
|||||||
12.A.2
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||
13.A.2
|
|
|||||||
13.B.2
|
|
|||||||
13.B.3
|
|
|||||||
14.A.1
|
|
|||||||
14.A.2
|
|
|||||||
14.A.4
|
|
|||||||
15.A.4
|
|
|||||||
16.A.3
|
|
|||||||
17.A.3
|
|
|||||||
19.B.1
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.B.1
|
|
|||||
1.B.2
|
|
|||||
4.A.2
|
|
|||||
9.B.1
|
|
|||||
11.A.12
|
|
|||||
20.A.3
|
|
APT3 |
||||
Step | ATT&CK Pattern |
|
||
1.A.1.3
|
|
|||
11.A.1
|
|
|||
12.E.1
|
|
|||
15.A.1.1
|
|
|||
16.F.1
|
Tactic Execution (TA0002) |
|
Procedure
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Footnotes
- The vendor noted the capability can create a new condition that would track all actions on a certain file of interest. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]

