Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.9
|
|
|
Telemetry showed powershell.exe executing the NetUserGetGroups API. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
A MSSP detection occurred for powershell.exe executing the NetUserGetGroups API.
[1]
|
|
Enumerated user's domain group membership via the NetUserGetGroups API
powershell.exe executing the NetUserGetGroups API
[1]
[2]
Enumerated user's domain group membership via the NetUserGetGroups API
powershell.exe executing the NetUserGetGroups API
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.F.2
|
|
|
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery).
[1]
|
|
2.F.3
|
|
|
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
|
|
The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
[5]
|
|
12.E.1.2
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
12.F.1
|
|
|
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery).
[1]
[2]
[3]
[4]
|
|
The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
Cobalt Strike: 'net localgroup administrators -domain' via cmd
[1]
Empire: WinEnum module included enumeration of AD group memberships