Home >
Enterprise >
Participants >
VMware Carbon Black >
Command and Scripting Interpreter (T1059)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.3
|
|
|||||||||||
1.A.7
|
|
|||||||||||
1.A.8
|
|
|||||||||||
1.A.9
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||||||
2.B.2
|
|
|||||||||||
2.B.3
|
|
|||||||||||
3.A.1
|
|
|||||||||||
3.B.2
|
|
|||||||||||
3.B.3
|
|
|||||||||||
4.B.3
|
|
|||||||||||
4.B.6
|
|
|||||||||||
5.A.6
|
|
|||||||||||
5.C.5
|
|
|||||||||||
6.A.1
|
|
|||||||||||
7.A.2
|
|
|||||||||||
8.A.1
|
|
|||||||||||
11.A.4
|
|
|||||||||||
12.A.2
|
Tactic Execution (TA0002) Subtechnique Command and Scripting Interpreter: JavaScript/Jscript (T1059.007) |
|
||||||||||
13.A.2
|
|
|||||||||||
13.B.2
|
|
|||||||||||
13.B.3
|
|
|||||||||||
14.A.1
|
|
|||||||||||
14.A.2
|
|
|||||||||||
14.A.4
|
|
|||||||||||
15.A.4
|
|
|||||||||||
16.A.3
|
|
|||||||||||
17.A.3
|
|
|||||||||||
19.B.1
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
9.B.1
|
|
|||||||
11.A.12
|
|
|||||||
20.A.3
|
|
Procedure
Spawned interactive cmd.exe
Criteria
cmd.exe spawning from the rcs.3aka3.doc process
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters.


Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters.


[2]


Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from powershell.exe
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Powershell or untrusted applications spawning command interpreters.


APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1.3
|
|
|||||||||
11.A.1
|
|
|||||||||
12.E.1
|
|
|||||||||
15.A.1.1
|
|
|||||||||
16.F.1
|
Tactic Execution (TA0002) |
|