APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.D.1
|
|
|
Telemetry showed the creation of m.exe in the System32 directory by wsmprovhost.exe.
[1]
[2]
|
|
An MSSP detection contained evidence of the write of m.exe to the System32 directory by wsmprovhost.exe.
[1]
|
|
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
File write of m.exe by the WinRM process (wsmprovhost.exe)
[1]
[2]
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
File write of m.exe by the WinRM process (wsmprovhost.exe)
[1]