Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A Technique detection named "Execution of a Service Process" (Low) was generated when cmd.exe spawned from services.exe.
[1]
|
|
A General detection named "Malware Detection Alert" (Critical) was generated when the service executable that spawned cmd.exe was detected as malicious.
[1]
|
|
16.A.6
|
|
|
A Technique detection named "Execution of a Service Process" (Low) was generated when a Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executed hollow.exe.
[1]
|
|
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
File Monitoring
-
Process Monitoring
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]
[3]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (low severity) for "Service Creation/Modification" was generated due to PsExec64.exe creating the psexesvc.exe service.
[1]
|
|
Telemetry showed PSEXESVC.exe executing python.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment".
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (high severity) for "ATT&CK T1035 Service Execution" for PsExec64.exe calling the CreateServiceW API. The detection was correlated to a parent alert for malicious file execution.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
A Specific Behavior alert was generated for the sc.exe command to start AdobeUpdater named \"Service Command Lateral Movement\". The alert was also tagged with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution).
[1]
[2]
|
Enrichment
(Tainted, Delayed)
|
The capability enriched sc.exe with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). The event was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
|
|
Telemetry showed sc.exe execution to start the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]