Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A Technique detection named "ServiceStarted + ProcessCreation" was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
[2]
|
|
A General detection named "ServiceStarted + ProcessCreation" (Malicious) was generated when cmd.exe spawned from a service executable in C:\Windows\. Detection based on a service spawning cmd then executing from specified location.
[1]
[2]
[3]
|
|
16.A.6
|
|
|
A Technique detection named "ServiceStarted + ProcessCreation" was generated when Windows service started PAExec-7928-HOTELMANAGER.exe, which executed hollow.exe.
[1]
[2]
[3]
[4]
|
|
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
[2]
cmd.exe spawns from a service executable in C:\Windows\
[1]
[2]
[3]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
A Tactic alert detection called "ProcessCreationExtra" was generated due to PSEXESVC.exe executing python.exe.
[1]
|
|
An MSSP detection for "T1035" occurred containing evidence of PsExec executing python.exe.
[1]
|
|
10.A.1
|
|
|
Telemetry showed javamtsup.exe with parent process services.exe.
[1]
|
|
An MSSP detection for "T1035" occurred containing evidence of javamtsup.exe with parent process services.exe.
[1]
|
|
A Tactic alert detection called "ProcessCreationExtra" was generated when services.exe executed javamtsup.exe.
[1]
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
A General Behavior alert was generated for the lateral movement activity. A new story grouping was generated for the event on Creeper to associate subsequent activity.
[1]
[2]
|
|
Telemetry showed execution of sc.exe to start the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
[2]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]