Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.4
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick successfully logged into bankdc (10.0.0.4) and cfo (10.0.0.5).
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Valid Accounts" was generated when kmitnick successfully logged onto bankfileserver (10.0.0.7) from 10.0.0.6 (hrmanager).
[1]
|
|
|
|
|
A Technique detection named "Valid Accounts" was generated when kmitnick successfully logged onto bankfileserver from hrmanager.
[1]
|
|
|
|
7.A.4
|
|
|
|
|
A Technique detection named "Successful Windows Logon" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
7.B.2
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
16.A.4
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick logged on to itadmin.
[1]
|
|
19.A.1
|
|
|
A General detection named "Remote Desktop Protocol" was generated when user kmitnick logged on to accounting (10.0.1.7) detected as RDP Login.
[1]
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick logged on to accounting (10.0.1.7).
[1]
|
|
|
|
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
-
Detection came from a complete data dump
[1]
[2]
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to cfo (10.0.0.5)
-
Detection came from a complete data dump
[1]
User kmitnick logs on to itadmin (10.0.1.6)
-
Detection came from a complete data dump
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
User kmitnick logs on to accounting (10.0.1.7)
-
Detection came from a complete data dump
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1
|
|
|
An MSSP detection occurred containing evidence of a valid logon on Scranton (10.0.1.4) as user Pam.
[1]
|
|
Telemetry showed PsExec64.exe executing python.exe with pam's login credentials on Scranton. A Kerberos ticket was generated on Scranton for pam.
[1]
|
|
16.C.2
|
|
|
Telemetry showed wsmprovhost.exe successfully executing a program as user MScott, indicating that a valid user session was created through WinRM.
[1]
[2]
|
|
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
[2]