Home >
Enterprise >
Participants >
SentinelOne >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||
1.A.2
|
|
|||||||
1.A.3
|
|
|||||||
1.A.7
|
|
|||||||
1.A.8
|
|
|||||||
1.A.9
|
|
|||||||
2.B.2
|
|
|||||||
2.B.3
|
|
|||||||
3.A.1
|
|
|||||||
3.B.2
|
|
|||||||
3.B.3
|
|
|||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||
4.B.3
|
|
|||||||
4.B.6
|
|
|||||||
5.A.6
|
|
|||||||
5.C.3
|
|
|||||||
5.C.5
|
|
|||||||
6.A.1
|
|
|||||||
7.A.2
|
|
|||||||
8.A.1
|
|
|||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||
11.A.4
|
|
|||||||
11.A.7
|
|
|||||||
11.A.8
|
|
|||||||
12.A.1
|
|
|||||||
12.A.2
|
|
|||||||
13.A.2
|
|
|||||||
13.B.2
|
|
|||||||
13.B.3
|
|
|||||||
14.A.1
|
|
|||||||
14.A.2
|
|
|||||||
14.A.4
|
|
|||||||
15.A.4
|
|
|||||||
16.A.3
|
|
|||||||
16.A.6
|
|
|||||||
17.A.3
|
|
|||||||
19.B.1
|
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1
|
|
|||||||||
1.B.1
|
|
|||||||||
1.B.2
|
|
|||||||||
4.A.2
|
|
|||||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||||
8.C.3
|
|
|||||||||
9.B.1
|
|
|||||||||
10.A.1
|
|
|||||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||||
11.A.1
|
|
|||||||||
11.A.12
|
|
|||||||||
14.B.1
|
|
|||||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||
20.A.3
|
|
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- A UX Configuration Change was made to bring PowerShell script block logs into the user interface.


[2]


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1.1
|
|
|||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||
1.A.1.3
|
|
|||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||
7.C.1
|
|
|||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||
10.A.2
|
|
|||||
11.A.1
|
|
|||||
12.E.1
|
|
|||||
16.F.1
|
|
|||||
16.L.1
|
|
Procedure
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection