APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
|
An MSSP detection for "Persistence - Registry Run Keys / Startup Folder" occurred for the creation of the hostui.lnk file in the Startup folder.
[1]
[2]
[3]
|
|
Telemetry showed the file write of hostui.lnk in the Startup folder.
[1]
[2]
[3]
[4]
|
|
10.B.1
|
|
|
Telemetry showed hostui.bat executing from a persistent Startup Menu shortcut.
[1]
|
|
11.A.11
|
|
|
An MSSP detection for "Persistence- Registry Run Keys / Startup Folder" occurred for PowerShell registering a Registry Run key.
[1]
[2]
[3]
|
|
A Technique alert detection (critical severity) called "Powerduke Persistence 2" was generated for a persistence event associated with a run key used by PowerDuke.
[1]
[2]
[3]
[4]
|
|
Telemetry showed powershell.exe adding Run key persistence into the Registry.
[1]
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
[2]
[3]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
[2]
[3]
[4]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
[3]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
[3]
[4]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]