Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.1
|
|
|
Telemetry showed WmiPrvSE.exe executing powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "WMI Operation" under "Execution {T1047}" was generated on Win32_AuditCode usage. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "WMI Operation" occurred containing evidence of Win32_AuditCode usage. WmiPrvSE.exe executed powershell.exe with decoded payload.
[1]
[2]
[3]
|
|
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
[3]
APT3
|
The technique was not in scope.
|