Home >
Enterprise >
Participants >
McAfee >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||||||
1.A.2
|
|
|||||||||||
1.A.3
|
|
|||||||||||
1.A.7
|
|
|||||||||||
1.A.8
|
|
|||||||||||
1.A.9
|
|
|||||||||||
2.B.2
|
|
|||||||||||
2.B.3
|
|
|||||||||||
3.A.1
|
|
|||||||||||
3.B.2
|
|
|||||||||||
3.B.3
|
|
|||||||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||||||
4.B.3
|
|
|||||||||||
4.B.6
|
|
|||||||||||
5.A.6
|
|
|||||||||||
5.C.3
|
|
|||||||||||
5.C.5
|
|
|||||||||||
6.A.1
|
|
|||||||||||
7.A.2
|
|
|||||||||||
8.A.1
|
|
|||||||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||||||
11.A.4
|
|
|||||||||||
11.A.7
|
|
|||||||||||
11.A.8
|
|
|||||||||||
12.A.1
|
|
|||||||||||
12.A.2
|
|
|||||||||||
13.A.2
|
|
|||||||||||
13.B.2
|
|
|||||||||||
13.B.3
|
|
|||||||||||
14.A.1
|
|
|||||||||||
14.A.2
|
|
|||||||||||
14.A.4
|
|
|||||||||||
15.A.4
|
|
|||||||||||
16.A.3
|
|
|||||||||||
16.A.6
|
|
|||||||||||
17.A.3
|
|
|||||||||||
19.B.1
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1
|
|
|||||
1.B.1
|
|
|||||
1.B.2
|
|
|||||
4.A.2
|
|
|||||
4.C.10
|
Technique Native API (T1106) |
|
||||
4.C.12
|
Technique Native API (T1106) |
|
||||
8.C.3
|
|
|||||
9.B.1
|
|
|||||
10.A.1
|
|
|||||
10.B.2
|
Technique Native API (T1106) |
|
||||
11.A.1
|
|
|||||
11.A.12
|
|
|||||
14.B.1
|
|
|||||
16.B.2
|
Technique Native API (T1106) |
|
||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||
20.A.3
|
|
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell stager payload
Criteria
powershell.exe spawning from from the schemas ADS (powershell.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||||
1.A.1.1
|
|
|||||||||||||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||||||||
1.A.1.3
|
|
|||||||||||||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||||||||||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||||||||||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||||||||||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||||||||||||
7.C.1
|
|
|||||||||||||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||||||||||||
10.A.2
|
|
|||||||||||||||
11.A.1
|
|
|||||||||||||||
12.E.1
|
|
|||||||||||||||
16.F.1
|
|
|||||||||||||||
16.L.1
|
|