Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
Telemetry showed the user Toby being created on the scranton host.
[1]
|
|
A Technique alert detection (high severity) for net_user_add was generated due to net.exe being used to add a user account.
[1]
|
|
An MSSP detection occurred containing evidence of new user "Toby" being created with net.exe.
[1]
[2]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.1.1
|
|
|
Telemetry showed the creation of the new user Jesse.
[1]
|
|
Added user Jesse to Conficker (10.0.0.5) through RDP connection
[1]