Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.7
|
|
|
A Technique alert detection (high severity) was generated for PowerShell performing suspicious Security Software Discovery.
[1]
[2]
|
|
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions.
[1]
|
|
Telemetry showed powershell.exe executing Get-WmiObject... -Class AntiVirusProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
4.C.8
|
|
|
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions.
[1]
|
|
Telemetry showed powershell.exe executing Get-WmiObject... -Class FireWallProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
12.B.1
|
|
|
Telemetry showed PowerShell gwmi query for AntiVirusProduct.
|
|
A MSSP detection occurred containing evidence of security software discovery attempts.
[1]
|
|
A Technique alert detection (high severity) called "Security Software Discovery" was generated due to powershell executing a gwmi query for AntiVirusProduct.
[1]
[2]
|
|
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
[1]
[2]
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
[1]
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
[1]
[2]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
[1]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
[1]
[2]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
[1]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
12.E.1.10.1
|
|
|
Telemetry showed an event log for the WMI query of the system AV products.
[1]
|
|
12.E.1.10.2
|
|
|
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery).
[1]
|
|
Empire: WinEnum module included enumeration of AV solutions
[1]
Empire: WinEnum module included enumeration of firewall rules
[1]