Home >
Enterprise >
Participants >
ReaQta >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1
|
Technique User Execution (T1204) |
|
||||
1.A.2
|
|
|||||
1.A.3
|
|
|||||
1.A.7
|
|
|||||
1.A.8
|
|
|||||
1.A.9
|
|
|||||
2.B.2
|
|
|||||
2.B.3
|
|
|||||
3.A.1
|
|
|||||
3.B.2
|
|
|||||
3.B.3
|
|
|||||
3.B.6
|
Technique Native API (T1106) |
|
||||
4.B.3
|
|
|||||
4.B.6
|
|
|||||
5.A.6
|
|
|||||
5.C.3
|
|
|||||
5.C.5
|
|
|||||
6.A.1
|
|
|||||
7.A.2
|
|
|||||
8.A.1
|
|
|||||
11.A.1
|
Technique User Execution (T1204) |
|
||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||
11.A.4
|
|
|||||
11.A.7
|
|
|||||
11.A.8
|
|
|||||
12.A.1
|
|
|||||
12.A.2
|
|
|||||
13.A.2
|
|
|||||
13.B.2
|
|
|||||
13.B.3
|
|
|||||
14.A.1
|
|
|||||
14.A.2
|
|
|||||
14.A.4
|
|
|||||
15.A.4
|
|
|||||
16.A.3
|
|
|||||
16.A.6
|
|
|||||
17.A.3
|
|
|||||
19.B.1
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1
|
|
|||||
1.B.1
|
|
|||||
1.B.2
|
|
|||||
4.A.2
|
|
|||||
4.C.10
|
Technique Native API (T1106) |
|
||||
4.C.12
|
Technique Native API (T1106) |
|
||||
8.C.3
|
|
|||||
9.B.1
|
|
|||||
10.A.1
|
|
|||||
10.B.2
|
Technique Native API (T1106) |
|
||||
11.A.1
|
|
|||||
11.A.12
|
|
|||||
14.B.1
|
|
|||||
16.B.2
|
Technique Native API (T1106) |
|
||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||
20.A.3
|
|
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


[3]


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


[3]


Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.