Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
A General detection named "Remotely creating or modifying files or folders" (Critical) was generated when a service binary was remotely created on 10.0.0.4.
[1]
|
|
|
|
16.A.5
|
|
|
A Technique detection named "Detected remote execution attempt using Paexec tool" (Orange) was generated when paexec.exe was executed to access 10.0.1.6.
[1]
[2]
|
|
A Technique detection named "A file was copied on the administrative share of a remote endpoint " was generated when paexec.exe was used to remotely copy a file to an admin share on 10.0.1.6.
[1]
|
|
|
|
A Technique detection named "Paexec has been used to execute a process from a remote endpoint" (Orange) was generated when paexec.exe was used to execute a service executable process from 10.0.1.5 to 10.0.1.6.
[1]
|
|
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
File Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Windows Event Logs
-
Network Monitoring
[1]
[2]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
File Monitoring
[1]
[2]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
Network Monitoring
-
File Monitoring
-
Named Pipes
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
File Monitoring
-
Network Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert for PowerShell.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.2
|
|
|
Telemetry showed powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
|
|
16.B.1.2
|
|
|
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
[1]
[2]
|
|
Telemetry showed a logon attempt via net.exe to ADMIN$ with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
|
|
16.D.1.1
|
|
|
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
[1]
[2]
|
|
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]