Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.4
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Valid Accounts | Domain Accounts " was generated when kmitnick logged on to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Valid Accounts | Domain Accounts" was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
7.A.4
|
|
|
|
|
A Technique detection named "Valid Accounts | Domain Accounts " was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
7.B.2
|
|
|
|
|
A Technique detection named "Valid Accounts | Domain Accounts " was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
16.A.4
|
|
|
|
|
A Technique detection named "Valid Accounts (T1078) | Domain Accounts (T1078.002)" was generated when kmitnick logged on to itadmin (10.0.1.6).
[1]
|
|
19.A.1
|
|
|
A Technique detection named "Valid Accounts | Local Accounts" was generated when user kmitnick logged on to accounting (10.0.1.7).
[1]
|
|
|
|
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to cfo (10.0.0.5)
[1]
User kmitnick logs on to cfo (10.0.0.5)
[1]
User kmitnick logs on to itadmin (10.0.1.6)
[1]
User kmitnick logs on to itadmin (10.0.1.6)
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1
|
|
|
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. The detection was correlated to a parent alert for malicious PowerShell.
[1]
|
|
16.C.2
|
|
|
An MSSP detection for Valid Accounts occurred containing evidence of the Successful logon on NewYork as user MScott.
[1]
|
|
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott.
[1]
[2]
|
|
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.D.1.2
|
|
General Behavior
(Tainted)
|
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert.
[1]
|
|
Telemetry showed net.exe executing with command-line arguments.
[1]
|
|
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
[1]
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
-
For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
[1]