Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.9
|
|
|
An MSSP detection for "Permission Groups Discovery" was received that included a PowerShell script and explained that it was used the Invoke-NetUserGetGroups command to search for domain groups through Win32 API calls.
[1]
|
|
Enumerated user's domain group membership via the NetUserGetGroups API
powershell.exe executing the NetUserGetGroups API
-
MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.
[1]