Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
Telemetry showed the PowerShell command to add the new User Toby to the remote host Scranton (10.0.1.4). Telemetry also subsequently showed wsmprovhost.exe spawning net.exe with the command-line arguments. The detection was correlated to a parent alert for Windows Management Instrumentation.
[1]
[2]
[3]
|
|
An MSSP detection occurred containing evidence of PowerShell adding new user to the remote host Scranton (10.0.1.4) using net.exe.
[1]
|
|
A Technique alert detection (red indicator) was generated for the creation of a local user with Net.
[1]
[2]
|
|
A General alert detection (red indicator) was generated for a process spawned from PowerShell remoting (WinRM).
[1]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
[3]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.1.1
|
|
Enrichment
(Configuration Change)
|
The capability enriched lsass.exe with the tag \\"Create Accounts using GUI\\".
[1]
[2]
|
|
Telemetry showed Registry modification events related to the creation of the user account Jesse.
[1]
[2]
|
|
Added user Jesse to Conficker (10.0.0.5) through RDP connection
-
The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started.
[1]
[2]
Added user Jesse to Conficker (10.0.0.5) through RDP connection
[1]
[2]