Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.1
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed powershell.exe executed by WMI. The detection was correlated to a parent alert for a suspicious Powershell process being spawned by explorer.exe.
[1]
|
|
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
-
The way this data was presented was altered after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
APT3
|
The technique was not in scope.
|