Home >
Enterprise >
Participants >
Malwarebytes >
Privilege Escalation (TA0004)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.B.5
|
|
|||||
15.A.5
|
|
|||||
17.A.4
|
Technique Hijack Execution Flow (T1574) Subtechnique Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) |
|
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Script Logs
- Process Monitoring
- Windows Registry


APT29 |
||||
Step | ATT&CK Pattern |
|
||
3.B.1
|
|
|||
3.B.2
|
|
|||
14.A.1
|
|
|||
14.A.2
|
|
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Procedure
Executed elevated PowerShell payload
Criteria
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command