Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
10.B.1.1
|
|
|
Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists.
[1]
|
|
16.B.1.1
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. The telemetry was tainted by the parent \"Powershell executed remote commands\" alert. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted.
[1]
[2]
|
|
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
[1]
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
-
Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
[1]
[2]