Home >
Enterprise >
Participants >
VMware Carbon Black >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
1.A.5
|
|
|||||||||
1.A.6
|
|
|||||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
3.B.5
|
|
|||||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||||
5.C.6
|
|
|||||||||
7.A.4
|
|
|||||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
11.A.5
|
|
|||||||||
11.A.6
|
|
|||||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||||
14.A.3
|
|
|||||||||
14.A.5
|
|
|||||||||
16.A.7
|
|
|||||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.2
|
|
|||||||||||
3.A.2
|
|
|||||||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||||||
4.A.3
|
|
|||||||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||||||
8.B.2
|
|
|||||||||||
8.C.1
|
|
|||||||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
10.B.3
|
|
|||||||||||
11.A.2
|
|
|||||||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||||||
11.A.10
|
|
|||||||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
14.B.6
|
|
|||||||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1.2
|
|
|||||
5.B.1
|
|
|||||
16.C.1
|
|
|||||
16.I.1.2
|
|
|||||
17.B.1
|
|
|||||
17.B.2
|
|
|||||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|