Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
17.A.4
|
|
|
|
|
A General detection named "Defense Evasion via Process Injection" (High) was generated when a userspace process (SystemPropertiesAdvanced.exe) spawned a new process (rundll32.exe) and used it to execute shellcode in srrstr.dll.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "DLL Search Order Hijacking" was generated when SystemPropertiesAdvanced.exe loaded the illegitimate srrstr.dll.
[1]
|
|
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
-
DLL Monitoring
-
Process Monitoring
-
System Calls/API Monitoring
[1]
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
[1]
[2]
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
[1]
APT29
|
The technique was not in scope.
|
APT3
|
The technique was not in scope.
|