Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
A General detection named "ASR - Block Office applications from creating executable content" was generated when wscript.exe executed unprotected.vbe.
[1]
|
|
A Technique detection named "wscript.exe process was observed using "Command and Scripting Interpreter" technique" (Low) was generated when wscript.exe spawned unprotected.vbe.
[1]
[2]
|
|
|
|
A Technique detection named "suspicious patterns in AMSI content" was generated when patterns in AMSI content indicated suspicious script activity when wscript.exe executed unprotected.vbe.
[1]
|
|
1.A.7
|
|
|
|
|
A Technique detection named "Suspicious VB activity" (Low) was generated when suspicious behavior was identified during execution of starter.vbs.
[1]
|
|
8.A.1
|
|
|
A Technique detection named "Suspicious VB activity" (Low) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
A General detection named "Suspicious file or command launched from registry run keys" (Low) was generated when a Registry run key caused wscript.exe to execute Java-Update.vbs, which then spawned Java-Update.exe.
[1]
|
|
11.A.4
|
|
|
A Technique detection named "Suspicious VB activity" (Low) was generated when the Visual Basic interpreter was invoked by mshta.exe.
[1]
[2]
|
|
|
|
wscript.exe executes unprotected.vbe
-
Script Logs
-
File Monitoring
-
Process Monitoring
[1]
wscript.exe executes unprotected.vbe
[1]
[2]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
-
Process Monitoring
-
Script Logs
[1]
wscript.exe executes starter.vbs
[1]
wscript.exe executes starter.vbs
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
-
Windows Registry
-
Process Monitoring
[1]
mshta.exe executes an embedded VBScript payload
[1]
[2]
mshta.exe executes an embedded VBScript payload
-
Process Monitoring
-
Script Logs
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.1
|
|
|
A delayed Specific Behavior alert was generated for suspicious PowerShell command-line arguments.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
A Specific Behavior alert was generated for PowerShell script with malicious cmdlets related to Empire.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
Specific Behavior
(Delayed)
|
A Specific Behavior alert was generated for PowerShell script with suspicious content detected through Antimalware Scan Interface extracted content.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|
Telemetry showed explorer.exe running autoupdate.vbs through wscript.exe and subsequent execution of PowerShell script and cmdlets.
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
|
|