Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
An MSSP detection occurred for the WinRM connection to remote host Scranton (10.0.1.4) over port 5985.
[1]
|
|
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from a temporary folder.
[1]
|
|
16.C.1
|
|
|
An MSSP detection for Windows Remote Management occurred containing evidence of the connection to remote host NewYork (10.0.0.4) over port 5985.
[1]
|
|
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent alert for a suspicious Powershell process being spawned by explorer.exe.
[1]
|
|
20.B.2
|
|
|
Telemetry showed PowerShell with an open network connection to the remote host Scranton (10.0.1.4) over port 5985. Telemetry also showed the WinRM process on Scranton (10.0.1.4) exchanging data with Utica (10.0.1.5).
[1]
[2]
|
|
An MSSP detection contained evidence of a WinRM session to remote host SchruteFarms (10.0.1.7).
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
APT3
|
The subtechnique was not in scope.
|