Home >
Enterprise >
Participants >
Secureworks >
Execution (TA0002)
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
|
|||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||
8.C.3
|
|
|||||||
9.B.1
|
|
|||||||
10.A.1
|
|
|||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||
11.A.1
|
|
|||||||
11.A.12
|
|
|||||||
14.B.1
|
|
|||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
20.A.3
|
|
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API