APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.2
|
|
|
A General alert detection (red; high severity) for "Suspicious PowerShell" was generated due to execution of powershell.exe by control.exe.
[1]
[2]
|
|
Telemetry showed PowerShell spawning from control.exe.
[1]
|
|
An MSSP detection for "Possible UAC Bypass" contained evidence of a new highiIntegrity PowerShell callback spawning from control.exe.
[1]
|
|
14.A.2
|
|
|
An MSSP detection contained evidence of High Integrity PowerShell process spawned from control.exe.
[1]
|
|
A General alert detection (red; high severity) for "Suspicious PowerShell" was generated due to execution of powershell.exe by control.exe.
[1]
|
|
Executed elevated PowerShell payload
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
[1]
[2]
Executed elevated PowerShell payload
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
[1]
Executed elevated PowerShell payload
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
[1]
Executed elevated PowerShell payload
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
[1]
Executed elevated PowerShell payload
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
[1]