Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.4
|
|
|
A Technique detection named "Data Compressed" was generated when 7za.exe created C:\Users\Public\log.7z.
[1]
|
|
|
|
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
7za.exe creates C:\Users\Public\log.7z
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
|
An MSSP detection for "Data Compressed "was received that included an explanation of the PowerShell script used to compress files and store the results in Draft.zip.
[1]
|
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
|
|
A Technique detection for "Data Compressed" was generated when Draft.zip was identified as compressed. The event was correlated to a parent detection cod.3aka.scr as a malicious file.
[1]
|
|
2.A.5
|
|
|
Telemetry showed the creation of Draft.Zip. The telemetry was correlated to a parent detection cod.3aka.scr as a suspicious file.
[1]
|
|
7.B.2
|
|
|
Telemetry showed the creation of OfficeSupplies.7z.
[1]
|
|
A Technique detection for "Data Compressed" was generated when powershell.exe created OfficeSupplies.7z.
[1]
|
|
An MSSP detection occurred for "Data Compressed" containing evidence of Invoke-Exfil function using 7-zip with password "lolol" to compressed downloads directory into OfficeSupplies.7z.
[1]
|
|
7.B.3
|
|
|
An MSSP detection occurred containing evidence that data was compressed and password encrypted for exfiltration.
[1]
[2]
[3]
|
|
9.B.6
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
[1]
|
|
A MSSP detection for "Data Encrypted" was received included the command used by the adversary to execute Rar.exe and explained that it was used to compress data into an encrypted ZIP file.
[1]
[2]
|
|
A Tactic detection for "Exfiltration" was generated when rar.exe executed with command-line arguments creating working.zip.
[1]
|
|
9.B.7
|
|
|
A Technique detection for Data Compressed was generated when rar.exe created working.zip.
[1]
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
[1]
|
|
A MSSP detection for "Data Staged" was received included the command used by the adversary to execute Rar.exe and explained that it was used to compress compress data into working.zip.
[1]
[2]
|
|
17.C.1
|
|
|
An MSSP detection occurred containing evidence of commands used to copy and compress data.
[1]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
[1]
[2]
[3]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
[2]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
[2]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]