Home >
Enterprise >
Participants >
VMware Carbon Black >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||||||
1.A.2
|
|
|||||||||||
1.A.3
|
|
|||||||||||
1.A.7
|
|
|||||||||||
1.A.8
|
|
|||||||||||
1.A.9
|
|
|||||||||||
2.B.2
|
|
|||||||||||
2.B.3
|
|
|||||||||||
3.A.1
|
|
|||||||||||
3.B.2
|
|
|||||||||||
3.B.3
|
|
|||||||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||||||
4.B.3
|
|
|||||||||||
4.B.6
|
|
|||||||||||
5.A.6
|
|
|||||||||||
5.C.3
|
|
|||||||||||
5.C.5
|
|
|||||||||||
6.A.1
|
|
|||||||||||
7.A.2
|
|
|||||||||||
8.A.1
|
|
|||||||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||||||
11.A.4
|
|
|||||||||||
11.A.7
|
|
|||||||||||
11.A.8
|
|
|||||||||||
12.A.1
|
|
|||||||||||
12.A.2
|
|
|||||||||||
13.A.2
|
|
|||||||||||
13.B.2
|
|
|||||||||||
13.B.3
|
|
|||||||||||
14.A.1
|
|
|||||||||||
14.A.2
|
|
|||||||||||
14.A.4
|
|
|||||||||||
15.A.4
|
|
|||||||||||
16.A.3
|
|
|||||||||||
16.A.6
|
|
|||||||||||
17.A.3
|
|
|||||||||||
19.B.1
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
|
|||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||
8.C.3
|
|
|||||||
9.B.1
|
|
|||||||
10.A.1
|
|
|||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||
11.A.1
|
|
|||||||
11.A.12
|
|
|||||||
14.B.1
|
|
|||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
20.A.3
|
|
Procedure
Spawned interactive cmd.exe
Criteria
cmd.exe spawning from the rcs.3aka3.doc process
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters.


Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters.


[2]


Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from powershell.exe
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Powershell or untrusted applications spawning command interpreters.


APT3 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.1.1
|
|
|||||||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||||
1.A.1.3
|
|
|||||||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||||||
7.C.1
|
|
|||||||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||||||
10.A.2
|
|
|||||||||
11.A.1
|
|
|||||||||
12.E.1
|
|
|||||||||
16.F.1
|
|
|||||||||
16.L.1
|
|