Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
A Technique detection named "Scripting engine reads script from suspicious folder" (Low) was generated when wscript.exe executed unprotected.vbe from the TEMP folder.
[1]
[2]
|
|
A General detection named "Malware" was generated when unprotected.vbe was detected as malware.
[1]
|
|
|
|
1.A.7
|
|
|
|
|
A Technique detection named "YARA Malware Signature" (High) was generated when wscript.exe executed starter.vbs which was detected as suspicious.
[1]
|
|
8.A.1
|
|
|
A General detection named "Memory Corruption Exploit" was generated when Suscpicious access to DLLs was attempted.
[1]
|
|
A Technique detection named "YARA Malware Signatue" (High) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
11.A.4
|
|
|
A General detection named "Behavioral Threat" was generated when mshta.exe executed an embedded VBScript payload.
[1]
|
|
|
|
A Technique detection named "VBScript or VBA Execution via vbscript/vbe7.dll" was generated when mshta.exe executed an embedded VBScript payload.
[1]
|
|
wscript.exe executes unprotected.vbe
[1]
[2]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes starter.vbs
-
Process Monitoring
-
Script Logs
[1]
[2]
wscript.exe executes starter.vbs
-
File Monitoring
-
Sandbox
-
Process Monitoring
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
-
File Monitoring
-
Process Monitoring
[1]
wscript.exe spawns Java-Update.exe
[1]
mshta.exe executes an embedded VBScript payload
-
Process Monitoring
-
Script Logs
[1]
mshta.exe executes an embedded VBScript payload
-
Script Logs
-
Process Monitoring
[1]
[2]
mshta.exe executes an embedded VBScript payload
-
DLL Monitoring
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.1
|
|
|
A Specific Behavior alert was generated for PowerShell execution. The alert was tagged with a related Technique (PowerShell)
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
|
|
A Specific Behavior alert was generated for the execution of the windows script engine The alert was tagged with the correct ATT&CK Technique (Scripting).
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
|
|
|
|
Telemetry showed wscript.exe executing autoupdate.vbs as well as the resulting powershell.exe execution. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|