Home >
Enterprise >
Participants >
Bitdefender >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||||
1.A.2
|
|
|||||||||
1.A.3
|
|
|||||||||
1.A.7
|
|
|||||||||
1.A.8
|
|
|||||||||
1.A.9
|
|
|||||||||
2.B.2
|
|
|||||||||
2.B.3
|
|
|||||||||
3.A.1
|
|
|||||||||
3.B.2
|
|
|||||||||
3.B.3
|
|
|||||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||||
4.B.3
|
|
|||||||||
4.B.6
|
|
|||||||||
5.A.6
|
|
|||||||||
5.C.3
|
|
|||||||||
5.C.5
|
|
|||||||||
6.A.1
|
|
|||||||||
7.A.2
|
|
|||||||||
8.A.1
|
|
|||||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||||
11.A.4
|
|
|||||||||
11.A.7
|
|
|||||||||
11.A.8
|
|
|||||||||
12.A.1
|
|
|||||||||
12.A.2
|
|
|||||||||
13.A.2
|
|
|||||||||
13.B.2
|
|
|||||||||
13.B.3
|
|
|||||||||
14.A.1
|
|
|||||||||
14.A.2
|
|
|||||||||
14.A.4
|
|
|||||||||
15.A.4
|
|
|||||||||
16.A.3
|
|
|||||||||
16.A.6
|
|
|||||||||
17.A.3
|
|
|||||||||
19.B.1
|
|
APT29 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.1
|
|
|||||||||||
1.B.1
|
|
|||||||||||
1.B.2
|
|
|||||||||||
4.A.2
|
|
|||||||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||||||
8.C.3
|
|
|||||||||||
9.B.1
|
|
|||||||||||
10.A.1
|
|
|||||||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||||||
11.A.1
|
|
|||||||||||
11.A.12
|
|
|||||||||||
14.B.1
|
|
|||||||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||||
20.A.3
|
|
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.