Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.8
|
|
|
A Technique detection named "Office process creates a scheduled task via file access" (Medium) was generated when mshta.exe created a scheduled task to execute in 5 minutes.
[1]
[2]
|
|
|
|
12.A.1
|
|
|
A Technique detection named "Remote Scheduled Task Executed" (Informational) was generated when svchost.exe spawned adb156.exe.
[1]
|
|
|
|
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Process Monitoring
-
File Monitoring
[1]
[2]
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
DLL Monitoring
-
Process Monitoring
-
Named Pipes
-
RPC
[1]
[2]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.1
|
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert was generated for a commonly abused host process scheduling a task. The alert was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert was generated for the creation of a new scheduled task. The alert was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
|
|
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task).
[1]
[2]
[3]
[4]
|
|
Telemetry showed schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
[3]
[4]
|
|
10.A.2
|
|
|
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\".
[1]
[2]
|
|
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
[1]
[2]