Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.A.2
|
|
|
A Technique detection named "Uncommon process calls keylogging syscalls" (Low) was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API.
[1]
|
|
|
|
18.A.4
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.3
|
|
|
An MSSP detection occurred containing evidence of key logging.
[1]
|
|
A Technique alert detection called "Input Capture" was generated due to powershell.exe making the GetAsyncKeyState API call.
[1]
[2]
|
|
Telemetry showed PowerShell calling the GetAsyncKeyState API.
|
|
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
[2]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1.1
|
|
|
The capability enriched the execution of a specific API call as keylogging and suspicious activity. Though it does not count as a detection, the capability also showed code and hook injections into explorer.exe.
[1]
[2]
[3]
|
|
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
[1]
[2]
[3]