Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.I.1.2
|
|
|
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description \\"Synchronize with Adobe for security updates.\\". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
|
|
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
[1]
[2]