Home >
Enterprise >
Participants >
VMware Carbon Black >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
19.A.3
|
Technique Proxy (T1090) |
|
||||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
Criteria
itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure
Data Sources
- Network Monitoring
APT29 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||||||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||||||||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
9.B.8
|
|
|||||||||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||||||||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria
Established network channel over port 1234
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office Documents making network connections.


[2]


Procedure
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria
Established network channel over port 443
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell making network connections.


Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria
Established network channel over port 443
Footnotes
- According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell making network connections.


Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.C.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
1.C.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: DNS (T1071.004) |
|
||||
1.C.1.3
|
|
|||||
6.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
6.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
6.B.1.3
|
Technique Multiband Communication (T1026) |
|
||||
7.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
11.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
11.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
11.B.1.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.1.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.1.4
|
Technique Commonly Used Port (T1043) |
|
||||
16.E.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|