APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
An MSSP detection for "Lateral Movement - Windows Admin Shares" occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445.
[1]
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]