Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
A General detection was generated when pscp.exe was identified as acting like a reverse shell.
[1]
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when Pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
5.C.2
|
|
|
|
|
A Technique detection named "llrules" was generated when SMB traffic matched a non-standard SMB client associated with red-teaming tools.
[1]
[2]
|
|
7.A.5
|
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
7.B.3
|
|
|
A Technique detection named "llrules" was generated when a cookie was observed in a RDP connection request.
[1]
|
|
A Technique detection named "Lateral Movement - Remove Services" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
A Technique detection named "Anomalous Network Interaction" (Low) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
A Technique detection named "Lateral Movement - Successful RDP Connection" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
16.A.5
|
|
|
A Tactic detection named "Potential Metasploit Payload Transfer" (Medium) was generated when network signatures between 10.0.1.5 and 10.0.1.6 matched a threat hacking tool.
[1]
|
|
|
|
A Tactic detection named "Windows X64 VNCInject Reverse TCP" (Medium) was generated when network signatures between 10.0.1.5 and 10.0.1.6 matched a threat hacking tool.
[1]
|
|
19.A.2
|
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
|
|
A Technique detection named "RDP Protocol" (14/100) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
[2]
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
Pscp.exe connects over SCP (port 22) to 10.0.0.7
-
Network Monitoring
-
Process Monitoring
[1]
[2]
Pscp.exe connects over SCP (port 22) to 10.0.0.7
-
Network Monitoring
-
Process Monitoring
[1]
Pscp.exe connects over SCP (port 22) to 10.0.0.7
-
Network Monitoring
-
Process Monitoring
[1]
plink.exe connects over SSH (port 22) to 10.0.0.7
-
Process Monitoring
-
Network Monitoring
[1]
plink.exe connects over SSH (port 22) to 10.0.0.7
-
Process Monitoring
-
Network Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
File Monitoring
-
Process Monitoring
-
Network Monitoring
[1]
[2]
[3]
psexec.py connects to SMB shares on 10.0.0.4
[1]
[2]
RDP session from the localhost over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from the localhost over TCP port 3389
-
Process Monitoring
-
Windows Event Logs
-
Network Monitoring
[1]
[2]
RDP session from the localhost over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
File Monitoring
-
Network Monitoring
[1]
[2]
[3]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
[2]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
[1]
[2]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
A General alert detection (red indicator) was generated for suspicious fileless execution not originating from PowerShell.
[1]
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "Remote Services" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Tactic
(Correlated, Alert)
|
A Tactic alert detection called "Remote powershell activity" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
|
A Technique alert detection (red indicator) was generated for "Powershell or WinRM remoting activity" based on wsmprovhost.exe.
[1]
|
|
8.C.2
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
16.C.1
|
|
|
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent alert for bypassing UAC with sdclt.exe.
[1]
|
|
A Technique alert detection (red indicator) was generated on NewYork (10.0.0.4) for a remote PowerShell session based on the identification of the WinRM process (wsmprovhost.exe).
[1]
|
Tactic
(Correlated, Alert)
|
A Tactic alert detection (yellow indicator) was generated for powershell.exe accessing the network. The detection was correlated to a parent alert for bypassing UAC with sdclt.exe.
[1]
|
|
20.B.2
|
|
|
An MSSP detection occurred containing evidence of PowerShell create a WinRM session to remote host Scranton (10.0.1.4).
[1]
|
|
Telemetry showed PowerShell executing the Enter-PSSession cmdlet to open a network connection to the remote host Scranton (10.0.1.4). The detection was correlated to a parent alert for Windows Management Instrumentation.
[1]
[2]
|
|
A Technique alert detection (red indicator) called "Powershell or WinRM remoting activity" was generated for a powershell WinRM session on the remote host Scranton (10.0.1.4).
[1]
|
|
A Tactic alert detection (red indicator) called for remote PowerShell activity was generated for a PowerShell WinRM session.
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
[2]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
|
|
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing.
[1]
[2]
[3]
|
|
10.B.1.2
|
|
|
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
|
|
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
[1]
[2]
|
|
16.A.1.2
|
|
|
Specific Behavior alerts titled \"Windows Admin Shares - Lateral Movement\" were generated for credential accesses specifically targeting admin shares.
[1]
[2]
|
|
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$.
[1]
[2]
|
|
16.B.1.2
|
|
|
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
|
|
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon.
[1]
[2]
|
|
16.D.1.1
|
|
|
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
|
|
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments targeting C$ using valid account credentials.
[1]
[2]
|
|
20.A.1.2
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism