Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A General detection (5) was generated when a service executable in C:\Windows\ spawned cmd.exe.
[1]
|
|
16.A.6
|
|
|
|
|
A Technique detection named "T1569.002 System Services (Service Execution)" (9) was generated when Windows service started PAExec.
[1]
[2]
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
A Technique alert detection (red indicator) for "Service Execution" was generated for the execution of python.exe by PSEXECSVC.exe on host Scranton (10.0.1.4) as SYSTEM.
[1]
|
|
An MSSP detection for "Service Execution" occurred containing evidence of PSEXESVC.exe executing python.exe.
[1]
[2]
|
|
10.A.1
|
|
|
A Technique alert detection (red indicator) for "Service Execution" was generated when services.exe spawned javamtsup.exe.
[1]
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
[2]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]