Home >
Enterprise >
Participants >
FireEye >
Privilege Escalation (TA0004)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
4.B.5
|
|
|||||||
15.A.5
|
|
|||||||
17.A.4
|
Technique Hijack Execution Flow (T1574) Subtechnique Hijack Execution Flow: DLL Search Order Hijacking (T1574.001) |
|
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Script Logs
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Windows Registry
- Process Monitoring


APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
3.B.1
|
|
|||||
3.B.2
|
|
|||||
14.A.1
|
|
|||||
14.A.2
|
|
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1.1
|
|
|||||
14.A.1.1
|
|
|||||
16.B.1.1
|
|
|||||
16.I.1.1
|
|
Procedure
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Footnotes
- A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).


[2]


Procedure
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
- All five of the sc.exe events are rolled under the same SC Execution alert.


[2]


[3]

