Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
A General detection named "Spear-phishing Attachment (Suspicious Process from Office)" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Deobfuscate/Decode Files or Information (WSH Access or Runs Suspicious File)" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Tactic detection named "Dynamic Data Exchange" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Technique detection named "Scripting" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
1.A.7
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
A Technique detection named "Scripting" was generated when wscript.exe executed starter.vbs.
[1]
|
|
8.A.1
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when Java-Update.exe spawned from wscript.exe.
[1]
|
|
A Technique detection named "Scripting" was generated when Java-Update.exe spawned from wscript.exe.
[1]
[2]
|
|
|
|
11.A.4
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Scripting (DLL)" was generated when mshta.exe loaded a VBS related DLL inorder to execute an embedded VBScript payload.
[1]
|
|
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
[2]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes starter.vbs
[1]
wscript.exe executes starter.vbs
[1]
[2]
wscript.exe executes starter.vbs
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
[1]
[2]
wscript.exe spawns Java-Update.exe
[1]
[2]
mshta.exe executes an embedded VBScript payload
[1]
mshta.exe executes an embedded VBScript payload
-
Process Monitoring
-
DLL Monitoring
[1]