Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.9
|
|
|
|
|
A Technique detection named "T1059: Command-line Interface (Windows command prompt invoked)" (15) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
A General detection named "Malicious Process Identified" (Red) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
12.A.2
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1059 - Command and Scripting Interpreter Invoked (DLL Load)" was generated when Adb156.exe loaded scrobj.dll.
[1]
|
|
A General detection named "Malicious Process Identified" (Red) was generated when Adb156.exe loaded scrobj.dll and executed sql-rat.js using Jscript.
[1]
|
|
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
-
DLL Monitoring
-
Process Monitoring
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|