Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.2
|
|
|
An MSSP alert was generated when a portable executable file used a script to collected various filetypes found on the filesystem.
[1]
|
|
Telemetry showed powershell.exe executing ChildItem.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (purple hexagon) called "Automated Collection" was generated when powershell.exe executed an automated search routine with Get-ChildItem. The event was correlated to a parent general detection for user execution of rcs.3aka.doc.
[1]
|
|
9.B.3
|
|
|
Telemetry showed Powershell.exe executing ChildItem.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow indicator) called "Automated Collection" was generated when powershell.exe executed Get-ChildItem. The event was correlated to a parent Technique detection for Windows Admin Shares.
[1]
[2]
|
|
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
Scripted search of filesystem for document and media files using PowerShell
powershell.exe executing (Get-)ChildItem
[1]
[2]
APT3
|
The technique was not in scope.
|