Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.B.1.3
|
|
Specific Behavior
(Delayed)
|
The Managed Defense Report indicated a Specific Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2.
[1]
[2]
|
|
Telemetry showed a combination of both DNS requests as well as HTTP requests, which could indicate multiband communication.
[1]
[2]
|
|
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
-
Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
[1]
[2]
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
[1]
[2]