Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.5
|
|
|
|
|
A Technique detection named "Remote Services: Remote Desktop Protocol, T1201.001" was generated when an RDP session was established from the localhost over TCP port 3389.
[1]
|
|
7.B.3
|
|
|
|
|
A Technique detection named "Remote Services: Remote Desktop Protocol, T1021.001" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
19.A.2
|
|
|
|
|
A General detection (malicious) was generated when rundll32.exe connected to accounting (10.0.1.7).
[1]
|
|
A Technique detection named "Remote Services: Remote Desktop Protocol, T1021.001" was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
RDP session from the localhost over TCP port 3389
[1]
RDP session from the localhost over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]