Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A General detection was generated when smrs.exe was detected as mimikatz.
[1]
|
|
A Technique detection named "LSASS Access by smrs.exe detected" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A General detection named "Malicious Process" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
15.A.6
|
|
|
A General detection was generated when samcat.exe was detected as mimikatz.
[1]
|
|
A Technique detection named "LSASS access by samcat.exe detected" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A General detection named "Malicious Process" was generated when samcat.exe was executed.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
Detection was generated by cloud sandbox.
[1]
smrs.exe opens and reads lsass.exe
[1]
smrs.exe opens and reads lsass.exe
[1]
samcat.exe opens and reads the SAM via LSASS
-
Detection was generated by cloud sandbox.
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
An MSSP detection identified PowerShell injecting into the LSASS process. This activity was labeled as credential harvesting.
[1]
|
|
A General detection in Process Guard Watcher was generated due to powershell.exe injecting into lsass.exe.
[1]
[2]
|
|
14.B.4
|
|
|
Telemetry showed a process access into lsass.exe.
[1]
|
|
A General alert detection was generated for m.exe being Mimikatz malware.
[1]
|
|
A Technique alert detection called "MIMIKATZ SUSPICIOUS PROCESS ARGUMENTS A (METHODOLOGY)" was generated for the execution of m.exe executing with command-line arguments indicative of Mimikatz credential dumping.
[1]
|
|
A General alert detection called "Vaultcli.dll Load" was generated due to a non-standard process, m.exe, loading vaultcli.dll.
[1]
[2]
|
|
An MSSP detection contained evidence of Mimikatz dumping credentials.
[1]
[2]
|
|
16.D.2
|
|
|
A Technique alert detection called "MIMIKATZ SUSPICIOUS PROCESS ARGUMENTS A (METHODOLOGY)" was generated due to command line arguments indicating the use of Mimikatz.
[1]
|
|
A General alert detection was generated for m.exe being identified as Mimikatz malware.
[1]
[2]
|
|
A Technique alert detection called "Vaultcli.dll Load" was generated due to a non-standard process, m.exe, loading a Windows credential management library (vaultcli.dll).
[1]
[2]
|
|
An MSSP detection occurred for Mimikatz usage to dump credentials for the krbtgt account.
[1]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
5.A.2.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Cobalt Strike: Built-in hash dump capability executed