Home >
Enterprise >
Participants >
Malwarebytes >
Event Triggered Execution (T1546)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
19.B.5
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
||||
20.A.1
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
3.B.1
|
|
|||
14.A.1
|
|
|||
15.A.2
|
|
|||
20.A.2
|
|
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Procedure
Established WMI event subscription persistence using PowerShell
Criteria
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription