Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.9
|
|
|
|
|
A Technique detection named "Execution - AMSI - Suspicious Windows Script Host Execution" (10/10) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
12.A.2
|
|
|
|
|
A Technique detection named "Defense Evasion - Wscript Execution from Non-Std Path" (9/10) was generated when Adb156.exe loaded scrobj.dll and executed sql-rat.js using Jscript.
[1]
|
|
A Technique detection named "Execution - AMSI - Suspicious Windows Script Host Execution" (10/10) was generated when Adb156.exe loaded scrobj.dll and executed sql-rat.js using Jscript.
[1]
|
|
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
-
Script Logs
-
Process Monitoring
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
-
Process Monitoring
-
DLL Monitoring
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
-
Script Logs
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|