APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
A Technique alert detection (critical severity) called "Credential Dumping T1003" was generated due to powershell.exe injecting into lsass.exe.
[1]
|
|
Telemetry showed powershell.exe injecting into lsass.exe
[1]
|
|
14.B.4
|
|
|
A Technique alert detection (critical severity) called "Credential Dumping" was generated for m.exe executing with command-line arguments indicative of Mimikatz credential dumping.
[1]
[2]
[3]
[4]
|
|
A Technique alert detection (critical severity) called "Credential Dumping" was generated for m.exe executing with command-line arguments indicative of Mimikatz credential dumping.
[1]
[2]
[3]
[4]
|
|
An MSSP detection occurred containing evidence of PowerShell executing Mimikatz to obtain login credentials.
[1]
|
|
16.D.2
|
|
|
A Technique alert detection (critical severity) called "Mimikatz Activity - lsadump" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping.
[1]
[2]
[3]
[4]
|
|
A Technique alert detection (critical severity) called "Mimikatz lsadump PowerShell Script Block" was generated due to a script block event associated with Mimikatz dumping local secrets.
[1]
[2]
[3]
|
|
Telemetry showed m.exe injecting a thread into lsass.exe.
[1]
[2]
|
|
A Technique alert detection (critical severity) called "Mimikatz Activity - privilege" was generated for m.exe with command-line arguments indicative of Mimikatz credential theft.
[1]
[2]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
[4]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
[4]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
[4]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]