Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.11
|
|
|
A Technique detection named "StandardCryptographicProtocol - T1573 Encrypted Channel" (Info) was generated when wscript.exe connected to 192.168.0.4 over HTTPS (port 443).
[1]
[2]
|
|
8.A.3
|
|
|
A Technique detection named "StandardCryptographicProtocol - T1573 Encrypted Channel" (Info) was generated when Java-Update.exe exchanged data with 192.168.0.4 over HTTPS protocol (port 80).
[1]
|
|
|
|
14.A.7
|
|
|
A Technique detection named "CryptographicProtocolUsage - T1573 Encrypted Channel" was generated when powershell.exe connected to 192.168.0.4 over HTTPS (port 443).
[1]
[2]
|
|
A General detection named "PowershellSslConnection" (Low) was generated when powershell.exe connected to 192.168.0.4 over HTTPS (port 443).
[1]
|
|
|
|
16.A.9
|
|
|
A Technique detection named "StandardCryptographicProtocol - T1573 Encrypted Channel" (Info) was generated when svchost.exe exchanged data with 192.168.0.4 over HTTPS protocol (port 443).
[1]
|
|
A General detection named "SslConnection" (Info) was generated when svchost.exe exchanged data with 192.168.0.4 over HTTPS protocol (port 443).
[1]
|
|
|
|
17.A.6
|
|
|
|
|
A Technique detection named "StandardCryptographicProtocol - T1573 Encrypted Channel" (Info) was generated when rundll32.exe exchanged data with 192.168.0.4 over HTTPS protocol (port 8080).
[1]
[2]
|
|
20.A.4
|
|
|
|
|
A Technique detection named "StandardCryptographicProtocol - T1573 Encrypted Channel" was generated when rundll32.exe exchanged TLS/SSL encrypted data with 192.168.0.4.
[1]
|
|
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
[2]
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Network Monitoring
-
Process Monitoring
[1]
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Network Monitoring
-
Process Monitoring
[1]
[2]
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
[2]
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Network Monitoring
-
Process Monitoring
[1]
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Network Monitoring
-
Process Monitoring
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
[2]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.5
|
|
Telemetry
(Configuration Change (Detections))
|
Telemetry showed a SSL connection to to 192.168.0.5 on port 443.
[1]
[2]
|
|
11.A.15
|
|
Telemetry
(Configuration Change (Detections))
|
Telemetry showed powershell.exe making an network connection to C2 (192.168.0.4) over port 443, which was identified as using the SSL protocol.
[1]
|
|
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Evidence that the network data sent over the C2 channel is encrypted
-
The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
[2]
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Evidence that the network data sent over the C2 channel is encrypted
-
The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]