Home >
Enterprise >
Participants >
Microsoft >
Command and Scripting Interpreter (T1059)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.3
|
|
|||||||||
1.A.7
|
|
|||||||||
1.A.8
|
|
|||||||||
1.A.9
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||||
2.B.2
|
|
|||||||||
2.B.3
|
|
|||||||||
3.A.1
|
|
|||||||||
3.B.2
|
|
|||||||||
3.B.3
|
|
|||||||||
4.B.3
|
|
|||||||||
4.B.6
|
|
|||||||||
5.A.6
|
|
|||||||||
5.C.5
|
|
|||||||||
6.A.1
|
|
|||||||||
7.A.2
|
|
|||||||||
8.A.1
|
|
|||||||||
11.A.4
|
|
|||||||||
12.A.2
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||||
13.A.2
|
|
|||||||||
13.B.2
|
|
|||||||||
13.B.3
|
|
|||||||||
14.A.1
|
|
|||||||||
14.A.2
|
|
|||||||||
14.A.4
|
|
|||||||||
15.A.4
|
|
|||||||||
16.A.3
|
|
|||||||||
17.A.3
|
|
|||||||||
19.B.1
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
9.B.1
|
|
|||||||
11.A.12
|
|
|||||||
20.A.3
|
|
APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1.3
|
|
|||||||||
11.A.1
|
|
|||||||||
12.E.1
|
|
|||||||||
15.A.1.1
|
|
|||||||||
16.F.1
|
Tactic Execution (TA0002) |
|
Procedure
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Footnotes
- Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events.


[2]


[3]


[4]

