Home >
Enterprise >
Participants >
Malwarebytes >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||
1.A.5
|
|
|||||
1.A.6
|
|
|||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||
3.B.5
|
|
|||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||
5.C.6
|
|
|||||
7.A.4
|
|
|||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
11.A.5
|
|
|||||
11.A.6
|
|
|||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
14.A.3
|
|
|||||
14.A.5
|
|
|||||
16.A.7
|
|
|||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.2
|
|
|||||
3.A.2
|
|
|||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||
4.A.3
|
|
|||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
8.B.2
|
|
|||||
8.C.1
|
|
|||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.B.3
|
|
|||||
11.A.2
|
|
|||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
11.A.10
|
|
|||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||
14.B.6
|
|
|||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
Criteria
powershell.exe executing Expand-Archive
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Deleted rcs.3aka3.doc on disk using SDelete
Criteria
sdelete64.exe deleting the file rcs.3aka3.doc
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Deleted Draft.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file draft.zip
Footnotes
- Exiting event details shows correlation of detections.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file SysinternalsSuite.zip
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria
Successful logon as user Pam on Scranton (10.0.1.4)
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Procedure
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance
Procedure
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria
powershell.exe executing Get-WmiInstance