Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.I.1.2
|
|
|
Telemetry showed sc.exe executions to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs as well as set the description of the service. An analyst could use this information to determine masquerading occurred. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
|
|
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
[1]