Home >
Enterprise >
Participants >
CrowdStrike >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||||
1.A.2
|
|
|||||||||
1.A.3
|
|
|||||||||
1.A.7
|
|
|||||||||
1.A.8
|
|
|||||||||
1.A.9
|
|
|||||||||
2.B.2
|
|
|||||||||
2.B.3
|
|
|||||||||
3.A.1
|
|
|||||||||
3.B.2
|
|
|||||||||
3.B.3
|
|
|||||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||||
4.B.3
|
|
|||||||||
4.B.6
|
|
|||||||||
5.A.6
|
|
|||||||||
5.C.3
|
|
|||||||||
5.C.5
|
|
|||||||||
6.A.1
|
|
|||||||||
7.A.2
|
|
|||||||||
8.A.1
|
|
|||||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||||
11.A.4
|
|
|||||||||
11.A.7
|
|
|||||||||
11.A.8
|
|
|||||||||
12.A.1
|
|
|||||||||
12.A.2
|
|
|||||||||
13.A.2
|
|
|||||||||
13.B.2
|
|
|||||||||
13.B.3
|
|
|||||||||
14.A.1
|
|
|||||||||
14.A.2
|
|
|||||||||
14.A.4
|
|
|||||||||
15.A.4
|
|
|||||||||
16.A.3
|
|
|||||||||
16.A.6
|
|
|||||||||
17.A.3
|
|
|||||||||
19.B.1
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
|
|||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||
8.C.3
|
|
|||||||
9.B.1
|
|
|||||||
10.A.1
|
|
|||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||
11.A.1
|
|
|||||||
11.A.12
|
|
|||||||
14.B.1
|
|
|||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
20.A.3
|
|
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1.1
|
|
|||||||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||
1.A.1.3
|
|
|||||||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||||||
7.C.1
|
|
|||||||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||||||
10.A.2
|
|
|||||||||
11.A.1
|
|
|||||||||
12.E.1
|
|
|||||||||
16.F.1
|
|
|||||||||
16.L.1
|
|
Procedure
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


Procedure
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


[2]


Procedure
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]


[3]

