APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.3
|
|
|
A General alert detection (low severity) called "Suspicious WinRM Remote PowerShell Net Process" was generated for wsmprovhost.exe spawning net.exe with the command-line arguments to add the new user Toby.
[1]
[2]
|
|
Telemetry showed addition of the new user Toby based on Windows Event ID 4720.
[1]
|
|
A Technique alert detection (info severity) was generated for an account creation.
[1]
[2]
|
|
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
[1]
[2]