Home >
Enterprise >
Participants >
FireEye >
Event Triggered Execution (T1546)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
19.B.5
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
||||
20.A.1
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
3.B.1
|
|
|||||||
14.A.1
|
|
|||||||
15.A.2
|
|
|||||||
20.A.2
|
|
Procedure
Executed WMI persistence on user login
Criteria
The WMI process (wmiprvse.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
17.C.1
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Accessibility Features (T1546.008) |
|
||||||
20.A.1.1
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Accessibility Features (T1546.008) |
|
Procedure
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]

