Home >
Enterprise >
Participants >
FireEye >
Masquerading (T1036)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
11.A.6
|
|
|||||
17.A.2
|
Tactic Defense Evasion (TA0005) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
6.A.3
|
Tactic Defense Evasion (TA0005) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
Procedure
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


APT3 |
||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||
16.I.1.2
|
|
|||||||||||||
19.A.1.1
|
Tactic Defense Evasion (TA0005) |
|
||||||||||||
19.B.1.3
|
Tactic Defense Evasion (TA0005) |
|
Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]


[6]

