Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.4
|
|
|
|
|
A Technique detection named "RegistryAutorun" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
10.A.4
|
|
|
A Technique detection named "RegistryAutorun" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Windows Registry
-
Process Monitoring
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Windows Registry
-
Process Monitoring
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "StartupDirectory" under was generated due to the file write of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed the creation of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1060" occurred containing evidence of PowerShell placing LNK in startup folder, gaining persistence to launch hostui.bat.
[1]
[2]
|
|
10.B.1
|
|
|
An MSSP detection for "startup persistence" occurred containing evidence of hostui.lnk executing from Startup Folder.
[1]
|
Technique
(Alert, Configuration Change (Detections))
|
A Technique alert detection for "StartedFromLnk" under "Registry Run Keys / Startup Folder {T1060}" was generated due to hostui.lnk triggering on login from the StartUp Folder.
[1]
|
|
Telemetry showed hostui.lnk executing from the Startup Folder.
[1]
|
|
11.A.11
|
|
|
An MSSP detection for "T1060" occurred containing evidence of Webcache subkey added to Registry.
[1]
|
|
A Technique alert detection for "RegistryAutorun" under "Persistence {T1060}" was generated for powershell.exe adding Run key persistence into the Registry.
[1]
|
|
Telemetry showed powershell.exe adding Run key persistence into the Registry.
[1]
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
[2]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
-
A Detection Configuration Change was made to capture .lnk files triggering on login from the StartUp folder. Aligned usage with "StartedFromLnk" under "Registry Run Keys / Startup Folder {T1060}".
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.B.1
|
|
|
Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
[1]
|
|
10.A.1
|
|
|
Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert.
[1]
[2]
|
|
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
[1]
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
[1]
[2]