Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.C.1
|
|
Specific Behavior
(Delayed)
|
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker unmounted the share from CodeRed.
[1]
[2]
|
|
Telemetry showed net.exe executing with command-line arguments.
[1]
[2]
|
|
Empire: 'net use -delete' via PowerShell
-
Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
[1]
[2]
Empire: 'net use -delete' via PowerShell
[1]
[2]