Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.1
|
|
|
A General alert detection (red indicator) for Privilege Escalation was generated for suspicious PowerShell behavior.
[1]
|
|
A Technique alert detection (red indicator) for Windows Management Instrumentation was generated for WmiPrvSE.exe executing powershell.exe.
[1]
[2]
|
|
Telemetry showed WmiPrvSe.exe executing powershell.exe.
[1]
[2]
|
|
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
[1]
[2]
APT3
|
The technique was not in scope.
|