Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.8
|
|
|
A Technique detection named "File(s) referenced in auto-start entry(ies) with suspicious indicators" was generated when the Micriosoft Update Service scheduled task was created.
[1]
|
|
|
|
12.A.1
|
|
|
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
[1]
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
[1]
[2]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
[2]
[3]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.1
|
|
|
A Specific Behavior alert was generated for a task being created that runs an executable (via rundll32) under system rights at Windows logon. The alert was tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task).
[1]
[2]
|
|
Telemetry showed cmd.exe creating the \"Resume Viewer Update Checker\" scheduled task via schtasks.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
|
|
10.A.2
|
|
|
Telemetry showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\".
[1]
|
|
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
[1]