Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "LsassRead Event" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
15.A.6
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
smrs.exe opens and reads lsass.exe
[1]
samcat.exe opens and reads the SAM via LSASS
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.4
|
|
|
A Technique alert detection (high severity) called "GUARD: Possible Mimikatz" was generated when command-line arguments contained "sekurlsa".
[1]
|
|
A General alert detection (medium severity) called "Win_Process_Dump_MITRET1005" was generated based on the detection of the dumping of process memory.
[1]
|
|
16.D.2
|
|
|
A Technique alert detection (high severity) called "GUARD: Possible Mimikatz" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping.
[1]
|
|
An MSSP detection for "Data Theft and Exfiltration" occurred containing evidence of "lsadump" with command-line arguments identified as Possible Mimikatz usage.
[1]
|
|
A General alert detection was generated identifying an exploit attempt when m.exe attempted to create a remote thread.
[1]
|
|
Telemetry showed m.exe injecting a thread into lsass.exe.
[1]
|
|
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
-
According to the vendor, this would have been prevented due to sekurlsa usage.
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]