Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.5
|
|
|
A Technique detection named "Possible Application Shimming PE Original File Name and Hash Indicator" (Medium) was generated when sdbinst.exe was executed with its original filename and hash.
[1]
|
|
A Technique detection named "Possible Application Shimming Process Execution Indicator" (High) was generated when sdbinst.exe was executed to install the sdbE376.tmp shim.
[1]
|
|
A Technique detection named "Possible Application Shimming Registry Indicator" (Medium) was generated when a registry value related to Application Shimming was set.
[1]
|
|
A Technique detection named "Possible Application Shimming New Shim Database Indicator" (Medium) was generated when a new shim database (.sdb) file was created.
[1]
|
|
20.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
sdbinst.exe installs sdbE376.tmp shim
-
File Monitoring
-
Process Monitoring
[1]
sdbinst.exe installs sdbE376.tmp shim
[1]
sdbinst.exe installs sdbE376.tmp shim
[1]
sdbinst.exe installs sdbE376.tmp shim
-
File Monitoring
-
Process Monitoring
[1]
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll