Home >
Enterprise >
Participants >
Malwarebytes >
Lateral Movement (TA0008)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
5.A.7
![]() |
|
|||||||
5.A.9
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||||
5.A.10
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||||
5.A.11
![]() |
Technique Lateral Tool Transfer (T1570) |
|
||||||
5.B.1
![]() |
|
|||||||
5.C.1
|
|
|||||||
5.C.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||
5.C.4
|
Technique Lateral Tool Transfer (T1570) |
|
||||||
7.A.5
|
|
|||||||
7.B.3
|
|
|||||||
16.A.5
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||||||
19.A.2
|
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
8.A.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||
8.C.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: SMB/Windows Admin Shares (T1021.002) |
|
||
16.C.1
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
||
16.D.1
|
Technique Lateral Tool Transfer (T1570) |
|
||
20.B.1
|
|
|||
20.B.2
|
Technique Remote Services (T1021) Subtechnique Remote Services: Windows Remote Management (T1021.006) |
|
Procedure
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Procedure
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Footnotes
- Exiting event details shows correlation of detections.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Criteria
Network connection to NewYork (10.0.0.4) over port 5985
Procedure
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria
File write of m.exe by the WinRM process (wsmprovhost.exe)
Procedure
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket