Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.4
|
|
|
A Technique detection named "Registry Run Keys / Startup Folder" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
10.A.4
|
|
|
|
|
A Technique detection named "Registry Run Keys / Startup Folder" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Windows Registry
-
Process Monitoring
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
|
Telemetry showed creation of hostui.lnk in the Startup folder.
[1]
|
|
A Technique detection for "Registry Run Keys / Startup Folder" was generated due to powershell.exe creating the hostui.lnk file.
[1]
|
|
10.B.1
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
|
|
11.A.11
|
|
|
An MSSP detection for "Registry Run Keys / Startup Folder" was received that included a PowerShell command executed by the adversary and explained that it was used to set a Registry Run Key. A detailed analysis of the malicious payload was also provided. [SE: see comment]
[1]
|
|
Telemetry showed powershell.exe adding Run key persistence into the Registry.
[1]
[2]
|
|
A Technique detection for "Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry.
[1]
[2]
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]