Home >
Enterprise >
Participants >
Microsoft >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||||||
1.A.2
|
|
|||||||||||
1.A.3
|
|
|||||||||||
1.A.7
|
|
|||||||||||
1.A.8
|
|
|||||||||||
1.A.9
|
|
|||||||||||
2.B.2
|
|
|||||||||||
2.B.3
|
|
|||||||||||
3.A.1
|
|
|||||||||||
3.B.2
|
|
|||||||||||
3.B.3
|
|
|||||||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||||||
4.B.3
|
|
|||||||||||
4.B.6
|
|
|||||||||||
5.A.6
|
|
|||||||||||
5.C.3
|
|
|||||||||||
5.C.5
|
|
|||||||||||
6.A.1
|
|
|||||||||||
7.A.2
|
|
|||||||||||
8.A.1
|
|
|||||||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||||||
11.A.4
|
|
|||||||||||
11.A.7
|
|
|||||||||||
11.A.8
|
|
|||||||||||
12.A.1
|
|
|||||||||||
12.A.2
|
|
|||||||||||
13.A.2
|
|
|||||||||||
13.B.2
|
|
|||||||||||
13.B.3
|
|
|||||||||||
14.A.1
|
|
|||||||||||
14.A.2
|
|
|||||||||||
14.A.4
|
|
|||||||||||
15.A.4
|
|
|||||||||||
16.A.3
|
|
|||||||||||
16.A.6
|
|
|||||||||||
17.A.3
|
|
|||||||||||
19.B.1
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
|
|||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||
8.C.3
|
|
|||||||
9.B.1
|
|
|||||||
10.A.1
|
|
|||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||
11.A.1
|
|
|||||||
11.A.12
|
|
|||||||
14.B.1
|
|
|||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
20.A.3
|
|
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Footnotes
- This activity would have been blocked by Microsoft Defender.
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1.1
|
|
|||||||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||
1.A.1.3
|
|
|||||||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||||||
7.C.1
|
|
|||||||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||||||
10.A.2
|
|
|||||||||
11.A.1
|
|
|||||||||
12.E.1
|
|
|||||||||
16.F.1
|
|
|||||||||
16.L.1
|
|
Procedure
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
Footnotes
- Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.


[2]


[3]


[4]


[5]


[6]


[7]


[8]


Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode.


[2]


[3]


[4]

