APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1
|
|
|
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam.
[1]
|
|
16.C.2
|
|
|
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott.
[1]
[2]
|
|
An MSSP detection for "Privilege Escalation- Valid Accounts" occurred containing evidence of PowerShell executing the PowerShell Invoke-Command WinRM cmdlet with valid credentials then logging onto the remote host NewYork (10.0.0.4).
[1]
|
|
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
[2]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]