Home >
Enterprise >
Participants >
GoSecure >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||
1.A.5
|
|
|||||
1.A.6
|
|
|||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||
3.B.5
|
|
|||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||
5.C.6
|
|
|||||
7.A.4
|
|
|||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
11.A.5
|
|
|||||
11.A.6
|
|
|||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
14.A.3
|
|
|||||
14.A.5
|
|
|||||
16.A.7
|
|
|||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
20.A.2
|
Technique Process Injection (T1055) |
|
Criteria
powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Procedure
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria
powershell.exe executing Get-WmiInstance
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1.2
|
|
|||||
5.B.1
|
|
|||||
16.C.1
|
|
|||||
16.I.1.2
|
|
|||||
17.B.1
|
|
|||||
17.B.2
|
|
|||||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
Procedure
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.


[2]

