Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.2
|
|
|
A Technique detection named "queried a unique vault credential from the Credential Manager" was generated when infosMin48.exe accessed a stored GitHub web credential from the Credential Manager.
[1]
|
|
|
|
A Technique detection named "enumerated vault credentials from the Credential Manager." was generated when infosMin48.exe accessed the Credential Manager.
[1]
|
|
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
-
System Calls/API Monitoring
-
Process Monitoring
[1]
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
-
Process Monitoring
-
DLL Monitoring
[1]
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
-
Process Monitoring
-
System Calls/API Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.A.2
|
|
|
An MSSP detection for Credential Access was generated containing evidence the CryptUnprotectData API was invoked in order to perform decryption on password data.
[1]
|
|
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
accesschk.exe executing the CryptUnprotectedData API
[1]
APT3
|
The subtechnique was not in scope.
|