Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
17.A.2
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
srrstr.dll is not the legitimate Windows System Protection Configuration Library
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.A.3
|
|
Telemetry
(Correlated, Configuration Change (Detections))
|
Telemetry showed hash of accesschk.exe, which can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent Technique detection for Masquerading for rcs.3aka3.doc.
[1]
|
|
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesschk.exe is not the legitimate Sysinternals tool
-
Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]