Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.3
|
|
|
A Technique detection named "Microsoft Office application launched Mshta.exe via lnk file" (Red) was generated when winword.exe spawned mshta.exe via an lnk file.
[1]
[2]
|
|
A Technique detection named "Executed suspicious JavaScript or VBScript via mshta application" (Orange) was generated when suspicoius script was executed via mshta.exe.
[1]
|
|
|
|
A Technique detection named "Executed mshta application" (Blue) was generated when winword.exe spawned mshta.exe.
[1]
|
|
A Technique detection named "MSHTA acting as VBScript Interpreter" (Yellow) was generated when mshta.exe was used to execute in-line VBScript.
[1]
|
|
winword.exe spawns mshta.exe
-
File Monitoring
-
Process Monitoring
[1]
[2]
winword.exe spawns mshta.exe
[1]
winword.exe spawns mshta.exe
[1]
winword.exe spawns mshta.exe
[1]
winword.exe spawns mshta.exe
-
Process Monitoring
-
DLL Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|