Home >
Enterprise >
Participants >
FireEye >
Remote Services: SMB/Windows Admin Shares (T1021.002)
|
|
See subtechnique results for:
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
5.C.2
|
|
|||||
16.A.5
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
8.C.2
|
|
Procedure
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
16.A.1.2
|
|
|||||
16.B.1.2
|
|
|||||
16.D.1.1
|
|
Procedure
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]

