Home >
Enterprise >
Participants >
ReaQta >
Remote Services: Windows Remote Management (T1021.006)
|
|
See subtechnique results for:
Carbanak+FIN7 |
||
The subtechnique was not in scope. |
APT29 |
||||
Step | ATT&CK Pattern |
|
||
8.A.2
|
|
|||
16.C.1
|
|
|||
20.B.2
|
|
Procedure
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]

