Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.8
|
|
|
12.A.1
|
|
|
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
File Monitoring
-
Windows Registry
[1]
[2]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.1
|
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert for \"Persistence-Scheduled Task Creation\" was generated (tainted by parent Malicious File Detection alert). The alert was also mapped to the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence).
[1]
[2]
[3]
|
|
The capability enriched data from a hunt for persistence via scheduled task, which showed the \\"Resume Viewer Update Checker\\" scheduled task.
[1]
[2]
[3]
|
Enrichment
(Delayed, Tainted)
|
The capability enriched the event tree with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert).
[1]
[2]
[3]
|
|
Telemetry showing creation of the scheduled task data was also visible in a event tree (tainted by parent Malicious File Detection alert).
[1]
[2]
[3]
|
|
10.A.2
|
|
|
Telemetry within the event tree showed rundll32.exe executing updater.dll. The telemetry was tainted by a Malicious File Detection alert for updater.dll and a Process Injection alert.
[1]
[2]
|
|
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
[3]
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
[3]
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
[3]
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
[3]
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
[1]
[2]