Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.I.1.2
|
|
|
Telemetry showed executions of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs as well as a setting the service description. An analyst can use this information to determine AdobeUpdater is masquerading. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
|
|
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
[1]