Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.3
|
|
|
A Technique detection named "Mshta.exe launched with suspicious arguments" (Medium) was generated when winword.exe spawned mshta.exe.
[1]
|
|
|
|
winword.exe spawns mshta.exe
[1]
winword.exe spawns mshta.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.A.1
|
|
|
Telemetry showed rundll32.exe executing kxwn.lock.
[1]
[2]
|
|
An MSSP detection was generated containing evidence of rundll32.exe executing kxwn.lock.
[1]
|
|
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
[1]
[2]
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.1.2
|
|
Specific Behavior
(Tainted)
|
Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
|
General Behavior
(Tainted)
|
A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
|
|
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
[3]
[4]
|
|