Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.7
|
|
|
Telemetry showed powershell.exe executing: Get-WmiObject ... -Class AntiVirusProduct
[1]
|
|
A Technique alert detection labeled wmi-enumeration-av was generated due to a WMI query for AntivirusProduct.
[1]
|
|
4.C.8
|
|
|
A Technique alert detection was generated for WMI being used to query information about firewall products.
[1]
|
|
Telemetry showed powershell.exe executing: Get-WmiObject ... -Class FireWallProduct
[1]
|
|
12.B.1
|
|
|
An MSSP detection occurred containing evidence of PowerShell gwmi query for AntiVirusProduct.
[1]
[2]
|
|
A Technique alert detection (informational severity) was generated for for WMI querying information about anti-virus products.
[1]
|
|
Telemetry showed PowerShell gwmi query for AntiVirusProduct
[1]
|
|
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
[1]
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
[1]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
[1]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
[1]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
[1]
[2]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
[1]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
12.E.1.10.1
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AV solutions.
[1]
|
|
12.E.1.10.2
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of firewall rules.
[1]
|
|
Empire: WinEnum module included enumeration of AV solutions
[1]
Empire: WinEnum module included enumeration of firewall rules
[1]