Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "Potential Credential Dumping - Mimikatz" (Warning) was generated when smrs.exe accessed lsass.exe in a similar way to Mimikatz.
[1]
[2]
[3]
|
|
A General detection named "Win64/Riskware.Mimikatz.D" (Threat) was generated when smrs.exe was detected as Mimikatz.
[1]
|
|
A General detection named "Unpopular process has started from AppData\ProgramData" (Information) was generated when smrs.exe was launched from AppData\ProgramData.
[1]
[2]
|
|
|
|
A Technique detection named "Potential Credential Dumping - Generic" (Warning) was generated when smrs.exe accessed lsass.exe.
[1]
[2]
|
|
15.A.6
|
|
|
A General detection named "Win64/RiskWare.Mimikatz.D" (Threat) was generated when samcat.exe was identified as Mimikatz.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
System Calls/API Monitoring
[1]
[2]
[3]
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
File Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
File Monitoring
[1]
[2]
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
System Calls/API Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
Process Monitoring
[1]
[2]
samcat.exe opens and reads the SAM via LSASS
-
File Monitoring
-
Process Monitoring
[1]