Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.8
|
|
|
A Tactic detection named "Suspicious Script Execution" (malicious) was generated when wscript.exe spawning cmd.exe via the execution of a suspicious script.
[1]
|
|
|
|
2.B.2
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
3.A.1
|
|
|
|
|
A Technique detection named "Command and Scripting Interface: Windows Command Shell, T1059.003" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
3.B.2
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell " was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
4.B.6
|
|
|
|
|
A General detection named "File Execution Attempt" (malicious) was generated when cmd.exe executed smrs.exe.
[1]
|
|
5.A.6
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
A Tactic detection named "Suspicious Script Execution" (Malicious) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
5.C.5
|
|
|
7.A.2
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
13.A.2
|
|
|
A Technique detection named "Command and Scripting Intepreter: Windows Command Shell, T1059.003" was generated when Adb156.exe spawned cmd.exe.
[1]
|
|
|
|
13.B.2
|
|
|
A Technique detection named "Command and Scripting Intepreter: Windows Command Shell, T1059.003" was generated when Adb156.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
14.A.1
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when Abd156.exe spawned cmd.exe.
[1]
|
|
|
|
16.A.3
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: WIndows Command Shell, T1059.003" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
17.A.3
|
|
|
A Technique detection named "Command and Scripting Interface: Windows Command Shell, T1059.003" was generated when svchost.exe spawned cmd.exe.
[1]
|
|
|
|
A General detection named "Create Process Hollowing" (malicious) was generated when svchost.exe spawned cmd.exe due to process hollowing of an unmapped executable. .
[1]
|
|