Home >
Enterprise >
Participants >
FireEye >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||
1.A.2
|
|
|||||||
1.A.3
|
|
|||||||
1.A.7
|
|
|||||||
1.A.8
|
|
|||||||
1.A.9
|
|
|||||||
2.B.2
|
|
|||||||
2.B.3
|
|
|||||||
3.A.1
|
|
|||||||
3.B.2
|
|
|||||||
3.B.3
|
|
|||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||
4.B.3
|
|
|||||||
4.B.6
|
|
|||||||
5.A.6
|
|
|||||||
5.C.3
|
|
|||||||
5.C.5
|
|
|||||||
6.A.1
|
|
|||||||
7.A.2
|
|
|||||||
8.A.1
|
|
|||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||
11.A.4
|
|
|||||||
11.A.7
|
|
|||||||
11.A.8
|
|
|||||||
12.A.1
|
|
|||||||
12.A.2
|
|
|||||||
13.A.2
|
|
|||||||
13.B.2
|
|
|||||||
13.B.3
|
|
|||||||
14.A.1
|
|
|||||||
14.A.2
|
|
|||||||
14.A.4
|
|
|||||||
15.A.4
|
|
|||||||
16.A.3
|
|
|||||||
16.A.6
|
|
|||||||
17.A.3
|
|
|||||||
19.B.1
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1
|
|
|||||||||
1.B.1
|
|
|||||||||
1.B.2
|
|
|||||||||
4.A.2
|
|
|||||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||||
8.C.3
|
|
|||||||||
9.B.1
|
|
|||||||||
10.A.1
|
|
|||||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||||
11.A.1
|
|
|||||||||
11.A.12
|
|
|||||||||
14.B.1
|
|
|||||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||
20.A.3
|
|
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed python.exe using PSExec
Criteria
python.exe spawned by PSEXESVC.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Executed PowerShell stager payload
Criteria
powershell.exe spawning from from the schemas ADS (powershell.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1.1
|
|
|||||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
1.A.1.3
|
|
|||||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||||
7.C.1
|
|
|||||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||||
10.A.2
|
|
|||||||
11.A.1
|
|
|||||||
12.E.1
|
|
|||||||
16.F.1
|
|
|||||||
16.L.1
|
|
Procedure
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
Footnotes
- The scan type used to produce this alert is On-access, which means the scan occurs on file writes and executions.
- The vendor reported that this file would have been quarantined and prevented from executing.


[2]


Procedure
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
- The vendor stated the process injection detection capability is a HX plugin that is only available within the Managed Defense Service, and the data is reported to a separate cloud server which is not accessible to customers at this time.


[2]


Procedure
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
- All five of the sc.exe events are rolled under the same SC Execution alert.


[2]

