APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.B.1
|
|
|
A Technique alert detection (yellow; medium severity) called "Command Line Interface" was generated due to cmd.exe spawning from rcs.3aka3.doc.
[1]
|
|
An MSSP detection contained evidence of rcs.3aka3.doc spawning cmd.exe
[1]
|
|
Telemetry showed rcs.3aka3.doc spawning from cmd.exe.
[1]
|
|
1.B.2
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (yellow; medium severity) called PowerShell was generated due to the execution of powershell.exe by cmd.exe. The alert was correlated to a parent alert for command line execution.
[1]
|
|
An MSSP detection contained evidence of cmd.exe spawning powershell.exe.
[1]
|
|
Telemetry showed powershell.exe spawning from cmd.exe.
[1]
|
|
4.A.2
|
|
|
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for suspicious PowerShell.
[1]
|
|
An MSSP detection occurred containing evidence of powershell.exe spawning from powershell.exe and indicated the new PowerShell process was a meterpreter shell.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow; medium severity) called "PowerShell" was generated due to powershell.exe spawning a new powershell.exe. The detection was correlated to a parent alert for suspicious PowerShell.
[1]
|
|
9.B.1
|
|
|
A Technique alert detection (yellow; medium severity) called "T1086_PowerShell" was generated due to python.exe spawning powershell.exe.
[1]
|
|
An MSSP detection contained evidence of python spawning powershell.exe.
[1]
|
|
Telemetry showed python.exe executing powershell.exe.
[1]
|
|
11.A.12
|
|
|
A Technique alert detection (yellow indicator) for "PowerShell" was generated for powershell.exe spawned from a PowerShell stager.
[1]
[2]
|
|
An MSSP detection contained evidence of PowerShell executing from schemas ADS.
[1]
|
|
Telemetry showed powershell.exe spawned from a PowerShell stager.
[1]
[2]
|
|
A General alert detection (high severity) called "PDM:Exploit.Win32.Generic" was generated for a potential threat.
[1]
|
|
20.A.3
|
|
|
A Technique alert detection (red; high severity) called PowerShell was generated due to powershell executing a SYSTEM-level powershell.exe.
[1]
|
|
An MSSP detection contained evidence of PowerShell spawned from a WMI event subscription.
[1]
|
|
Telemetry showed execution of SYSTEM level PowerShell.
[1]
|
|
Spawned interactive cmd.exe
cmd.exe spawning from the rcs.3aka3.doc process
[1]
Spawned interactive cmd.exe
cmd.exe spawning from the rcs.3aka3.doc process
[1]
Spawned interactive cmd.exe
cmd.exe spawning from the rcs.3aka3.doc process
[1]
Spawned interactive powershell.exe
powershell.exe spawning from cmd.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from cmd.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from cmd.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from powershell.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from powershell.exe
[1]
[2]
Spawned interactive powershell.exe
powershell.exe spawning from powershell.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from python.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from python.exe
[1]
Spawned interactive powershell.exe
powershell.exe spawning from python.exe
[1]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
[1]
[2]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
[1]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
[1]
[2]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
[1]
Executed PowerShell payload from WMI event subscription persistence
SYSTEM-level powershell.exe spawned from the powershell.exe
[1]
Executed PowerShell payload from WMI event subscription persistence
SYSTEM-level powershell.exe spawned from the powershell.exe
[1]
Executed PowerShell payload from WMI event subscription persistence
SYSTEM-level powershell.exe spawned from the powershell.exe
[1]