Home >
Enterprise >
Participants >
Symantec >
Event Triggered Execution (T1546)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
19.B.5
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
||||||||
20.A.1
|
Tactic Persistence (TA0003) Subtechnique Event Triggered Execution: Application Shimming (T1546.011) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
3.B.1
|
|
|||||||
14.A.1
|
|
|||||||
15.A.2
|
|
|||||||
20.A.2
|
|
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).

