Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.8
|
|
|
A Technique detection named "An anomalous scheduled task was created" (Medium) was generated when an anomalous scheduled task was created for execution of sql-rat.js.
[1]
|
|
A Technique detection named "mshta.exe process created a scheduled task" was generated when mshta.exe was observed creating a new scheduled task (Micriosoft Update Service).
[1]
|
|
|
|
12.A.1
|
|
|
A Technique detection named "Suspicious Scheduled Task Process Launched" (Medium) was generated when a scheduled task was launched that pointed at a file previously identified as malicious.
[1]
|
|
|
|
A Technique detection named "Suspicious Task Scheduler activity" was generated when a scheduled task process was created that was involved in earlier malicious activity.
[1]
|
|
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Windows Event Logs
-
Process Monitoring
[1]
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Process Monitoring
-
Windows Event Logs
[1]
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Windows Event Logs
-
Process Monitoring
[1]
svchost.exe (-s Schedule) spawns Adb156.exe
-
Process Monitoring
-
File Monitoring
[1]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.1
|
|
Specific Behavior
(Delayed)
|
A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task.
[1]
[2]
|
|
Telemetry showed cmd.exe registering the \"Resume Viewer Update Checker\" scheduled task.
[1]
[2]
|
|
10.A.2
|
|
|
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \\"-k netsvcs -p -s Schedule\\".
[1]
|
|
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
[1]
[2]
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
[1]