Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "Read Memory Process Critical - T1003 OS Credential Dumping" (Low) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A Technique detection named "LsassMemoryRead - T1003.001 LSASS Memory" (Low) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
15.A.6
|
|
Telemetry
(Configuration Change (Detection Logic))
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "SecurityAccountManagerRegistryAccess" (Low) was generated when samcat.exe opened and read the SAM.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Registry Credentials Accessed - T1003 OS Credential Dumping" (Low) was generated when samcat.exe opened and read the SAM.
[1]
|
|
smrs.exe opens and reads lsass.exe
[1]
smrs.exe opens and reads lsass.exe
[1]
smrs.exe opens and reads lsass.exe
[1]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
Windows Registry
[1]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
Windows Registry
[1]
[2]
samcat.exe opens and reads the SAM via LSASS
-
Windows Registry
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.4
|
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) was generated identifying powershell.exe executing m.exe as Mimikatz malware. The detection was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) was generated for m.exe loading a credential related DLL, identified as a possible attempt to dump credentials. The detection was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) was generated for a process memory read. The detection was correlated to a parent alert identifying the powershell.exe process as malware.
[1]
[2]
[3]
|
|
16.D.2
|
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) was generated identifying m.exe as the Mimikatz malware. The detection was correlated to a parent alert identifying a remote PowerShell session to NewYork (10.0.0.4).
[1]
|
|
A Technique alert detection was generated for injection into the lsass.exe process.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) called "ReadProcessMemoryCritical" was generated for m.exe reading memory from a critical process. The alert was correlated to a parent alert identifying a remote PowerShell session to NewYork (10.0.0.4).
[1]
[2]
|
|
A General alert detection (red indicator) was generated for injection into a critical system process.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) was generated for a m.exe (Mimikatz) loading a credentials-related DLL (samlib.dll), identified as a possible attempt to dump credentials. The detection was correlated to a parent alert identifying a remote PowerShell session to NewYork (10.0.0.4).
[1]
[2]
|
|
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]