Home >
Enterprise >
Participants >
HanSight >
Execution (TA0002)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1
|
|
|||||
1.B.1
|
|
|||||
1.B.2
|
|
|||||
4.A.2
|
|
|||||
4.C.10
|
Technique Native API (T1106) |
|
||||
4.C.12
|
Technique Native API (T1106) |
|
||||
8.C.3
|
|
|||||
9.B.1
|
|
|||||
10.A.1
|
|
|||||
10.B.2
|
Technique Native API (T1106) |
|
||||
11.A.1
|
|
|||||
11.A.12
|
|
|||||
14.B.1
|
|
|||||
16.B.2
|
Technique Native API (T1106) |
|
||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||
20.A.3
|
|
Procedure
Spawned interactive cmd.exe
Criteria
cmd.exe spawning from the rcs.3aka3.doc process
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Executed PowerShell stager payload
Criteria
powershell.exe spawning from from the schemas ADS (powershell.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.