Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
A General detection named "Remote Windows Service Creation" (Informational) was generated when the service executable was created.
[1]
|
|
|
|
A Technique detection named "Uncommon Process Execution from Services.exe" (Low) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
16.A.6
|
|
|
|
|
A Technique detection named "Service Execution" (Low) was generated when Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executed hollow.exe.
[1]
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
An MSSP detection occurred containing evidence of python.exe being spawned by PSEXESVC.exe.
[1]
|
|
A Technique alert detection called "Service Execution Start service T1050" was generated due to psexec.exe spawning python.exe.
[1]
|
|
A General alert detection (low severity) was generated due to an unsigned process running from a temporary directory.
[1]
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe and originated from a RPC call originating on the remote host Nashua (10.0.1.6).
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection was generated for PSEXESVC.exe being copied to a remote host. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for "Lateral Movement" was generated due to PSEXE64.exe execution with plain-text credentials from Nashua as the user Pam. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
[2]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution).
[1]
[2]
[3]
|
|
Telemetry showed powershell.exe executing sc with command-line arguments. As part of the service, telemetry also showed cmd.exe executing update.vbs on 10.0.0.4 (Creeper). The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
[3]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
[3]