Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
12.A.2
|
|
|
Telemetry showed the modification of the timestamp of kxwn.lock, as well as the contents of the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (low severity) for "Timestomping" was generated for the modification of the timestamp of kxwn.lock. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (medium severity) for "ATT&CK T1099 Timestomp" was generated for PowerShell calling the NtSetInformationFile API. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
|
|
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
[1]
[2]
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
[1]
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
[1]
APT3
|
The subtechnique was not in scope.
|