Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
A Technique alert detection (orange indicator) for "Account Operation" was generated for the addition of the new user Toby.
[1]
[2]
|
|
An MSSP detection for "Create Account" was received that described the attacker creating a new account on host Scranton (10.0.1.4) for persistence.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (orange indicator) for "Create Account" was generated for net.exe with the command-line arguments to add the new user Toby. The detection was correlated to a parent alert for creation of a Windows Remote Management session.
[1]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]