Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.2
|
|
|
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "InteractivePSCommand" contained evidence of powershell.exe executing ChildItem.
[1]
|
Technique
(Delayed (Processing), Alert, Correlated)
|
A Technique alert detection for "Automated Collection" was generated on powershell.exe executing Get-ChildItem after a short delay. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
9.B.3
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1119" occurred containing evidence of enumerating directories in search for specific files. The function "ChildItem" is observed.
[1]
|
Technique
(Configuration Change (UX), Correlated, Alert)
|
A Technique alert detection called "Automated Collection" was generated when powershell.exe accessed multiple files when using ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
-
A UX Configuration Change was made to bring PowerShell script block logs into the user interface.
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
-
A UX Configuration Change was made to bring host file reads into the UI.
[1]
APT3
|
The technique was not in scope.
|