Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
10.B.1.1
|
|
|
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type.
[1]
|
|
16.B.1.1
|
|
|
The capability enriched a logon attempt via net.exe, using the valid credentials of user Kmitnick, with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
[1]
|
|
Telemetry showed net.exe executing with command-line arguments.
[1]
|
|
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
[1]
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
[1]
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
-
The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
[1]