Home >
Enterprise >
Participants >
FireEye >
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
7.C.4
|
|
|||||
10.A.4
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
5.B.1
|
|
|||||||||
10.B.1
|
|
|||||||||
11.A.11
|
|
Procedure
Established Registry Run key persistence using PowerShell
Criteria
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.B.1
|
|
|||||||||
10.A.1
|
|
Procedure
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


Procedure
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Footnotes
- The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure.


[2]


[3]


[4]


Procedure
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]

