Home >
Enterprise >
Participants >
Malwarebytes >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
19.A.3
|
Technique Proxy (T1090) |
|
||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.B.8
|
|
|||||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria
Established network channel over port 1234
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Dropped stage 2 payload (monkey.png) to disk
Criteria
The rcs.3aka3.doc process creating the file monkey.png
Footnotes
- Expanding technique detection for Masquerading for rcs.3aka3.doc shows file write of monkey.png.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria
Established network channel over port 443
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria
powershell.exe creating the file SysinternalsSuite.zip
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria
powershell.exe creating the file SysinternalsSuite.zip
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria
The file python.exe created on Scranton (10.0.1.4)
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


[2]


Procedure
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file rar.exe
Procedure
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file sdelete64.exe
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria
Established network channel over port 443
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
Procedure
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria
powershell.exe downloading and/or the file write of m.exe
Procedure
Mapped a network drive to an online OneDrive account using PowerShell
Criteria
net.exe with command-line arguments then making a network connection to a public IP over port 443
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.

