Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.3
|
|
General
(Alert, Correlated)
|
A General alert (red indicator) was generated for powershell.exe execution, which included connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc.
[1]
|
|
11.A.13
|
|
|
An MSSP detection was received that included a PowerShell script and explained that it was used to download and execute another script from 192.168.0.4 over port 443.
[1]
[2]
|
|
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Established network channel over port 443
[1]
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Established network channel over port 443
[1]
[2]