Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.3
|
|
|
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Network Monitoring
-
Script Logs
-
Process Monitoring
[1]
[2]
[3]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.1
|
|
|
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
[1]
[2]
|
|
Telemetry showed powershell.exe executing repeated logon attempts via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
|
|
16.B.1.3
|
|
|
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
[1]
[2]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
|
|
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
[1]
[2]
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
[1]
[2]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]
[2]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]
[2]