Home >
Enterprise >
Participants >
FireEye >
Persistence (TA0003)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
4.A.4
|
|
|||||
5.A.8
![]() |
|
|||||
5.B.2
![]() |
|
|||||
7.B.2
|
|
|||||
7.C.4
|
|
|||||
10.A.4
|
|
|||||
16.A.4
|
|
|||||
19.A.1
|
|
|||||
19.B.5
|
Technique Event Triggered Execution (T1546) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
||||
20.A.1
|
Technique Event Triggered Execution (T1546) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
5.A.1
|
|
|||||||||
5.B.1
|
|
|||||||||
10.B.1
|
|
|||||||||
11.A.11
|
|
|||||||||
15.A.2
|
|
|||||||||
20.A.2
|
|
|||||||||
20.B.3
|
|
Procedure
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria
powershell.exe creating the Javamtsup service
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established Registry Run key persistence using PowerShell
Criteria
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed WMI persistence on user login
Criteria
The WMI process (wmiprvse.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
Criteria
net.exe adding the user Toby
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.B.1
|
|
|||||||||
7.A.1.1
|
|
|||||||||
10.A.1
|
|
|||||||||
10.B.1.1
|
|
|||||||||
17.C.1
|
Technique Event Triggered Execution (T1546) Subtechnique Event Triggered Execution: Accessibility Features (T1546.008) |
|
||||||||
20.A.1.1
|
Technique Event Triggered Execution (T1546) Subtechnique Event Triggered Execution: Accessibility Features (T1546.008) |
|
Procedure
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


Procedure
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Footnotes
- The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure.


[2]


[3]


[4]


Procedure
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]


Procedure
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]

