Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.2
|
|
Technique
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A Technique detection named "Potential credentials theft from Windows Credential Vault" (Warning) was generated when infosMin48.exe loaded vaultcli.dll.
[1]
[2]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
-
Process Monitoring
-
DLL Monitoring
-
Increased collection of module load activity
[1]
[2]
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
-
Process Monitoring
-
DLL Monitoring
-
Increased collection of module load activity
[1]