Home >
Enterprise >
Participants >
BlackBerry Cylance >
Command and Scripting Interpreter (T1059)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.3
|
|
|||||||
1.A.7
|
|
|||||||
1.A.8
|
|
|||||||
1.A.9
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||
2.B.2
|
|
|||||||
2.B.3
|
|
|||||||
3.A.1
|
|
|||||||
3.B.2
|
|
|||||||
3.B.3
|
|
|||||||
4.B.3
|
|
|||||||
4.B.6
|
|
|||||||
5.A.6
|
|
|||||||
5.C.5
|
|
|||||||
6.A.1
|
|
|||||||
7.A.2
|
|
|||||||
8.A.1
|
|
|||||||
11.A.4
|
|
|||||||
12.A.2
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||
13.A.2
|
|
|||||||
13.B.2
|
|
|||||||
13.B.3
|
|
|||||||
14.A.1
|
|
|||||||
14.A.2
|
|
|||||||
14.A.4
|
|
|||||||
15.A.4
|
|
|||||||
16.A.3
|
|
|||||||
17.A.3
|
|
|||||||
19.B.1
|
|
Criteria
Adb156.exe spawns cmd.exe
Footnotes
- MITRE confirmed detection without screenshots
- Remote Response/Host Interrogation
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.B.1
|
|
|||||
1.B.2
|
|
|||||
4.A.2
|
|
|||||
9.B.1
|
|
|||||
11.A.12
|
|
|||||
20.A.3
|
|
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from python.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed PowerShell stager payload
Criteria
powershell.exe spawning from from the schemas ADS (powershell.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.