Home >
Enterprise >
Participants >
Secureworks >
Lateral Movement (TA0008)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
8.A.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||||
8.C.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||
16.C.1
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||||
16.D.1
|
Technique Lateral Tool Transfer (T1570) |
|
||||
20.B.1
|
|
|||||
20.B.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
Procedure
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria
File write of m.exe by the WinRM process (wsmprovhost.exe)