Home >
Enterprise >
Participants >
Bitdefender >
Native API (T1106)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.6
|
Tactic Execution (TA0002) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
4.C.10
|
Tactic Execution (TA0002) |
|
||
4.C.12
|
Tactic Execution (TA0002) |
|
||
10.B.2
|
Tactic Execution (TA0002) |
|
||
16.B.2
|
Tactic Execution (TA0002) |
|
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.

