Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
A Technique alert detection called "created account T1136" (high severity) was generated for net.exe with the command-line arguments to add the new user Toby.
[1]
[2]
|
|
An MSSP detection contained evidence of the creation of the user Toby on Scranton (10.0.1.4).
[1]
|
|
Telemetry showed wsmprovhost.exe spawning net.exe with the command-line arguments to add the new user Toby.
[1]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.1.1
|
|
|
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account).
[1]
[2]
|
|
Telemetry showed mmc.exe creating a Registry key for user Jesse, indicating that the user is new.
[1]
[2]
|
|
Added user Jesse to Conficker (10.0.0.5) through RDP connection
[1]
[2]
Added user Jesse to Conficker (10.0.0.5) through RDP connection
[1]
[2]