Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.A.2
|
|
|
A Tactic detection named "HookingViaSetHookAPI + KeyloggerInstallation" was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API.Tagged with Collection.
[1]
|
|
A Technique detection named "HookingViaSetHookAPI + KeyloggerInstallation" was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API. Key Logger Intallation.
[1]
|
|
18.A.4
|
|
|
A Technique detection named "KeyloggerRegistered" was generated when mstsc.exe called APIs GetAsyncKeyState or GetKeyState. Note, process name is inherited from original process. .
[1]
|
|
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
System Calls/API Monitoring
-
Process Monitoring
[1]
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
-
Process Monitoring
-
System Calls/API Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.3
|
|
Technique
(Correlated, Alert, Configuration Change (Detections))
|
A Technique alert detection for "SuspiciousKeylogging" was generated due to GetAsyncKeyState execution. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell calling the GetAsyncKeyState API. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1056" occurred containing evidence of GetAsyncKeyState API calls and Get-Keystrokes function call.
[1]
[2]
|
|
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
-
A Detection Configuration Change was made to align GetAsyncKeyState usage with "SuspiciousKeylogging" under "Collection {T1056}".
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
-
A UX Configuration Change was made to bring PowerShell script block logs into the user interface.
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1.1
|
|
|
Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
[1]
[2]
|
|
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
-
Vendor stated log files indicate the powershell process was using the SSL cache folder.
[1]
[2]