Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.4
|
|
|
|
|
A Technique detection named "Compression utility executed" (Low) was generated when 7za.exe created C:\Users\Public\log.7z.
[1]
|
|
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
|
Telemetry showed powershell.exe compressing via Compress-Archive. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Data Compressed "(T1002)" occurred containing evidence that the files "C:\Users\pam\Links\Downloads.lnk, C:\Users\pam\Links\Desktop.lnk, C:\Users\pam\Favorites\Bing.url, and C:\Users\pam\Desktop\Microsoft Edge.lnk" were compressed into a zip file draft.zip.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious folder" was generated due identifying Draft.zip as compressed. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
2.A.5
|
|
|
An MSSP detection for Data Staged "(T1074)" occurred containing evidence that there was a compressed zip file created named Draft.zip.
[1]
|
|
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
7.B.2
|
|
|
An MSSP detection occurred containing evidence of the file create of OfficeSupplies.7z.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious location" was generated for the file creation event of a .7z file in %APPDATA%. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
7.B.3
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
9.B.6
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to encrypt working.zip.
[1]
|
|
9.B.7
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for "Scripting engine creates compressed file under suspicious folder" was generated when rar.exe was used to create an compressed zip archive in %APPDATA%. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to compress working.zip.
[1]
|
|
17.C.1
|
|
|
A General alert detection for Data Staged was generated when the WindowsParentalControlMigration.tmp file was compressed.
[1]
[2]
|
|
Telemetry showed PowerShell compressing collection via the ZipFile.CreateFromDirectory .NET method. The detection was correlated to a parent alert for a suspicious Powershell process being spawned by explorer.exe.
[1]
|
|
An MSSP detection occurred containing evidence of data compression.
[1]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
[2]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.1.1
|
|
|
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe
|
|
19.B.1.2
|
|
|
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine
|
|
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file