Home >
Enterprise >
Participants >
Symantec >
Modify Registry (T1112)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.2
|
Tactic Defense Evasion (TA0005) |
|
||||
4.B.4
|
Tactic Defense Evasion (TA0005) |
|
||||
10.A.5
|
Tactic Defense Evasion (TA0005) |
|
||||
10.A.6
|
Tactic Defense Evasion (TA0005) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
3.C.1
|
Tactic Defense Evasion (TA0005) |
|
||||
14.A.3
|
Tactic Defense Evasion (TA0005) |
|
Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).

