Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.1.3
|
|
|
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
[1]
|
|
12.G.1
|
|
General Behavior
(Delayed)
|
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used to capture information about local users.
[1]
[2]
|
|
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
[1]
[2]
|
|
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
[1]
Empire: 'net user' via PowerShell
-
Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
[1]
[2]
Empire: 'net user' via PowerShell
[1]
[2]