Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
10.B.1.1
|
|
|
Telemetry showed a type 10 (interactive) UserLogon event for Jesse.
[1]
|
|
16.B.1.1
|
|
General Behavior
(Tainted, Delayed)
|
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
[1]
[2]
|
|
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
[1]
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
-
OverWatch is the managed threat hunting service.
[1]
[2]
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
[1]
[2]