Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.C.7
|
|
Telemetry
(Configuration Change (Detections))
|
Telemetry showed powershell executing Get-WmiObject ... -Class AntiVirusProduct.
[1]
|
|
4.C.8
|
|
Telemetry
(Configuration Change (Detections))
|
Telemetry showed powershell executing Get-WmiObject ... -Class FireWallProduct.
[1]
|
|
12.B.1
|
|
Telemetry
(Configuration Change (Detections))
|
Telemetry showed the PowerShell gwmi query for AntiVirusProduct.
[1]
|
|
Enumerated anti-virus software using PowerShell
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
-
PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
Enumerated firewall software using PowerShell
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
-
PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
Enumerated registered AV products using PowerShell
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
-
PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]