Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.1
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) was generated for a local process created using WMI. The detection was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert was generated for the creation of a new WMI class. The alert was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
[3]
|
Technique
(Correlated, Alert)
|
A Technique alert detection was generated for PowerShell executed using WMI. The alert was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) was generated for a WMI action using a custom provider. The detection was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
|
|
Telemetry showed WmiPrvSE.exe executing powershell.exe.
|
|
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
[3]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.