Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.5
|
|
|
An MSSP detection for "T1120" occurred containing evidence of WMI query targeting Win32_PnPEntity.
[1]
|
|
A Technique alert detection for "SuspiciousWMIQuery" under "{T1120}" (Peripheral Device Discovery) was generated due to a suspicious WMI query for Win32_PnPEntity.
[1]
|
|
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity.
|
|
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
[1]
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
[1]
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3
|
The technique was not in scope.
|