Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
|
|
A General detection (10) was generated when smrs.exe is identified as Mimikatz.
[1]
|
|
15.A.6
|
|
|
A General detection named "S0002 Mimikatz" (9) was generated when samcat.exe was identified as Mimikatz.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
File Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
File Monitoring
-
Process Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow indicator) for "Credential Dumping" was generated when powershell.exe attempted to read the lsass.exe process memory. The event was correlated to a parent Technique detection for User Execution on rcs.3aka3.doc.
[1]
|
|
An MSSP detection for "Credential Dumping" was received that described PowerShell dumping credentials from LSASS process memory.
[1]
|
|
14.B.4
|
|
|
A Technique alert detection (yellow indicator) of "Credential Dumping" was generated for dumping credentials/keys from Lsass process memory
[1]
|
|
A Technique alert detection (red indicator) of "Credential Dumping" was generated for command-line arguments indicative of Mimikatz credential dumping.
[1]
|
|
An MSSP detection for "Credential Dumping" was received that described the adversary executing m.exe to access LSASS process memory.
[1]
|
|
16.D.2
|
|
|
A Technique alert detection (red indicator) for "Credential Dumping" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping.
[1]
|
|
A General alert detection (yellow indicator) was generated identifying m.exe as threat activity.
[1]
|
|
An MSSP detection for "Credential Dumping" was received that described the adversary remotely executing m.exe to dump the krbtgt hash.
[1]
[2]
[3]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]