Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.1
|
|
|
Telemetry showed the contents of the Invoke-Mimikatz script along with PowerShell executing Invoke-Mimikatz to create and inject a golden ticket into the current session. The detection was correlated to a parent alert for Windows Management Instrumentation.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of PowerShell executing Invoke-Mimikatz to create and inject a golden ticket into the current session.
[1]
|
|
A General alert detection (red indicator) was generated for a Credential Theft Application Running.
[1]
|
|
A General alert detection (red indicator) was generated for PowerShell running Mimikatz.
[1]
|
|
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
[2]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
APT3
|
The subtechnique was not in scope.
|