Home >
Enterprise >
Participants >
FireEye >
Lateral Movement (TA0008)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
5.A.7
![]() |
|
|||||
5.A.9
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||
5.A.10
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||
5.A.11
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||
5.B.1
![]() |
|
|||||
5.C.1
|
|
|||||
5.C.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||
5.C.4
|
Technique Lateral Tool Transfer (T1570) |
|
||||
7.A.5
|
|
|||||
7.B.3
|
|
|||||
16.A.5
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||
19.A.2
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
8.A.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||||||||
8.C.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||||
16.C.1
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||||||||
16.D.1
|
Technique Lateral Tool Transfer (T1570) |
|
||||||||
20.B.1
|
|
|||||||||
20.B.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
Procedure
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Criteria
Network connection to NewYork (10.0.0.4) over port 5985
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
6.C.1
|
|
|||||||
10.B.1.2
|
|
|||||||
16.A.1.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||
16.B.1.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||
16.D.1.1
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||
16.G.1
|
Technique Lateral Tool Transfer (T1570) |
|
||||||
20.A.1.2
|
|
Procedure
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]

