UNC2452 Coverage

Based on this ATT&CK Navigator layer.

T1560.001 : Archive via Utility

• CAR-2013-07-005 : Command Line Usage of Archiving Software

T1059.001 : PowerShell

• CAR-2014-11-004 : Remote PowerShell Sessions
• CAR-2014-04-003 : Powershell Execution
• CAR-2014-04-003 : Powershell Execution

T1059.003 : Windows Command Shell

• CAR-2013-02-003 : Processes Spawning cmd.exe
• CAR-2014-11-002 : Outlier Parents of Cmd

T1105 : Ingress Tool Transfer

• CAR-2013-07-001 : Suspicious Arguments

T1036 : Masquerading

• CAR-2013-05-002 : Suspicious Run Locations

T1036.005 : Match Legitimate Name or Location

• CAR-2021-04-001 : Common Windows Process Masquerading

T1069.002 : Domain Groups

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands
• CAR-2020-11-006 : Local Permission Group Discovery

T1057 : Process Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands

T1053.005 : Scheduled Task

• CAR-2015-04-002 : Remotely Scheduled Tasks via Schtasks
• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2020-09-001 : Scheduled Task - FileAccess
• CAR-2013-01-002 : Autorun Differences
• CAR-2013-08-001 : Execution with schtasks

T1218.011 : Rundll32

• CAR-2014-03-006 : RunDLL32.exe monitoring

T1059 : Command and Scripting Interpreter

• CAR-2021-01-002 : Unusually Long Command Line Strings

T1546.003 : Windows Management Instrumentation Event Subscription

• CAR-2013-01-002 : Autorun Differences

T1098 : Account Manipulation

• CAR-2013-04-002 : Quick execution of a series of suspicious commands

T1543.003 : Windows Service

• CAR-2014-02-001 : Service Binary Modifications
• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2013-09-005 : Service Outlier Executables
• CAR-2013-01-002 : Autorun Differences
• CAR-2014-05-002 : Services launching Cmd
• CAR-2014-03-005 : Remotely Launched Executables via Services

T1562.001 : Disable or Modify Tools

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-04-003 : User Activity from Stopping Windows Defensive Services

T1112 : Modify Registry

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2014-11-005 : Remote Registry
• CAR-2013-01-002 : Autorun Differences
• CAR-2020-05-003 : Rare LolBAS Command Lines
• CAR-2013-03-001 : Reg.exe called from Command Shell

T1012 : Query Registry

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2020-05-003 : Rare LolBAS Command Lines
• CAR-2013-03-001 : Reg.exe called from Command Shell

T1518.001 : Security Software Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands

T1082 : System Information Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands

T1016 : System Network Configuration Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands

T1033 : System Owner/User Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands

T1007 : System Service Discovery

• CAR-2013-04-002 : Quick execution of a series of suspicious commands
• CAR-2016-03-001 : Host Discovery Commands

T1047 : Windows Management Instrumentation

• CAR-2016-03-002 : Create Remote Process via WMIC
• CAR-2014-12-001 : Remotely Launched Executables via WMI
• CAR-2014-11-007 : Remote Windows Management Instrumentation (WMI) over RPC