APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
A Technique alert detection (info severity) called "Windows Remote Management - WinRM Usage" was generated due to a connection to remote host Scranton over port 5985.
[1]
[2]
[3]
|
|
Telemetry showed a connection to Scranton (10.0.1.4) over TCP port 5985.
[1]
[2]
[3]
|
|
16.C.1
|
|
|
Telemetry showed PowerShell executing the PowerShell Invoke-Command WinRM cmdlet then the subsequent connection to remote host NewYork (10.0.0.4) over port 5985.
[1]
[2]
|
|
An MSSP detection for "Execution - Windows Remote Management" occurred containing evidence of PowerShell executing the PowerShell Invoke-Command WinRM cmdlet then the subsequent connection to remote host NewYork (10.0.0.4).
[1]
|
|
20.B.2
|
|
|
Telemetry showed PowerShell execution of Enter-PSSession and the correpsonding powershell.exe network connection to remote host Scranton (10.0.1.4) over port 5985.
[1]
[2]
|
|
An MSSP detection for "Windows Remote Management" occurred containing evidence of PowerShell using Enter-PSSession to create WinRM session.
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
[3]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
[3]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
[2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]