Home >
Enterprise >
Participants >
GoSecure >
Process Injection (T1055)
|
|
Carbanak+FIN7 |
||||
Step | ATT&CK Pattern |
|
||
9.A.3
|
Tactic Defense Evasion (TA0005) |
|
||
16.A.7
|
|
|||
18.A.1
|
Tactic Defense Evasion (TA0005) |
|
||
18.A.3
|
Tactic Defense Evasion (TA0005) |
|
||
20.A.2
|
Tactic Defense Evasion (TA0005) |
|
APT29 |
||
The technique was not in scope. |
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
3.C.1
|
Tactic Execution (TA0002) |
|
||||
5.A.1.2
|
Tactic Execution (TA0002) |
|
||||
5.A.2.2
|
Tactic Execution (TA0002) |
|
||||
8.D.1.2
|
Tactic Execution (TA0002) |
|
Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten \"Capabilities\" that are part of the taxonomy.


Procedure
Cobalt Strike: Credential dump capability involved process injection into lsass
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]

