Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.5
|
|
|
|
Technique
(Configuration Change (Data Sources))
|
A Technique detection named "Suspicious sdbinst execution" (Medium ) was generated when sdbinst.exe installed sdbE376.tmp shim database.
[1]
|
Technique
(Configuration Change (Data Sources))
|
A Technique detection named "Shim registry entries" (Medium) was generated when sdbinst.exe installed sdbE376.tmp shim database.
[1]
[2]
[3]
|
|
20.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
[2]
|
|
sdbinst.exe installs sdbE376.tmp shim
-
Process Monitoring
-
Windows Registry
[1]
[2]
sdbinst.exe installs sdbE376.tmp shim
-
Due to human error, RDR sensor was not initially deployed to the Accounting host.
[1]
sdbinst.exe installs sdbE376.tmp shim
-
Windows Registry
-
Process Monitoring
-
Due to human error, RDR sensor was not initially deployed to the Accounting host.
[1]
[2]
[3]
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
[1]
[2]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|