Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
A Technique alert detection for "WinRMSession" under "Lateral Movement {T1028}" was generated when a connection to remote host Scranton (10.0.1.4) from host Nashua (10.0.1.6) over port 5985 using the wsman protocol was issued.
[1]
[2]
|
|
An MSSP detection for "T1028" occurred containing evidence of Lateral Movement via WinRM with wsman network connection to host Scranton (10.0.1.4) over port 5985.
[1]
[2]
|
|
16.C.1
|
|
|
Telemetry showed connection to remote host NewYork (10.0.0.4) over port 5985 using the wsman protocol. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "WinRMSession" was generated for the creation of a WinRM session. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1028" occurred containing evidence of a connection to remote host NewYork (10.0.0.4) over port 5985 using the wsman protocol, and a WinRM indicator for Lateral Movement.
[1]
|
|
20.B.2
|
|
|
Telemetry showed PowerShell with an open network connection to remote host Scranton (10.0.1.4) over port 5985. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1028" occurred containing evidence of Enter-PSSession to create WinRM session to remote host Scranton (10.0.1.4) over port 5985.
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
[2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
APT3
|
The subtechnique was not in scope.
|