Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
17.C.1
|
|
|
A Specific Behavior alert was generated named \"Persistence-Accessibility Features\" based on magnifier.exe being overwritten. The alert was tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
|
Enrichment
(Tainted, Delayed)
|
The capability enriched the magnify.exe overwrite with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
[1]
[2]
|
|
Telemetry showed the overwrite of magnify.exe and was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
[1]
[2]
|
|
20.A.1.1
|
|
|
A Specific Behavior alert was generated on Windows File Name Mismatch between magnify.exe and cmd.exe, indicating this could be used for accessibility features in the description. The alert is tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution).
[1]
[2]
|
Enrichment
(Delayed, Tainted)
|
The capability enriched magnify.exe with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by the Windows File Name Mismatch alert).
[1]
[2]
|
|
Telemetry in the event tree showed the execution of magnify.exe by utilman.exe (tainted by the Windows File Name Mismatch alert).
[1]
[2]
|
|
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
[1]
[2]
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
[1]
[2]
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
-
Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
[1]
[2]