Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
Telemetry showed net.exe with the command-line arguments to add the new user Toby. The detection was correlated to a parent alert for the malicious use of powershell.exe.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection called "net.exe is used to create a user or add a user to a group" was generated for net.exe with the command-line arguments to add the new user Toby. The detection was correlated to a parent alert for the malicious use of powershell.exe.
[1]
[2]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.1.1
|
|
|
Telemetry showed lsass.exe creating a Registry key for user Jesse, indicating that the user is new.
[1]
|
|
Added user Jesse to Conficker (10.0.0.5) through RDP connection
[1]