Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.9
|
|
|
Telemetry showed powershell.exe executing Invoke-NetUserGetGroups. The event was correlated to a parent General detection for malicious file execution.
[1]
|
|
Enumerated user's domain group membership via the NetUserGetGroups API
powershell.exe executing the NetUserGetGroups API
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.F.2
|
|
General Behavior
(Configuration Change, Tainted, Delayed)
|
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
|
|
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
2.F.3
|
|
General Behavior
(Configuration Change, Tainted, Delayed)
|
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
[3]
[4]
|
|
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
[1]
[2]
[3]
[4]
|
|
12.E.1.2
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
|
|
12.F.1
|
|
|
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
[1]
[2]
|
Enrichment
(Tainted, Delayed)
|
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.
[1]
[2]
|
|
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts).
[1]
[2]
|
|
Empire: WinEnum module included enumeration of AD group memberships
-
Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
[1]
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
[1]
[2]
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]