Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.8
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe spawned a suspicious child process.
[1]
|
|
|
|
A Tactic detection named "Execution" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
2.B.2
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
3.A.1
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
3.B.2
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
4.B.6
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
5.A.6
|
|
|
A Technique detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when powershell.exe executed cmd.exe with a named pipe as stdin.
[1]
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
5.C.5
|
|
|
A Tactic detection named "Execution" was generated when cmd.exe spawned tiny.exe.
[1]
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe spawned tiny.exe.
[1]
|
|
|
|
7.A.2
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
A Tactic detection named "Execution" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
A Technique detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when tiny.exe spawned cmd.exe with a named pipe as stdin.
[1]
|
|
13.A.2
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when Adb156.exe spawned cmd.exe.
[1]
|
|
13.B.2
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when Adb156.exe spawned cmd.exe.
[1]
|
|
|
|
14.A.1
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when Adb156.exe spawned cmd.exe.
[1]
|
|
A Tactic detection named "Execution" was generated when Adb156.exe spawned cmd.exe.
[1]
|
|
|
|
16.A.3
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
A Tactic detection named "powershell.exe created process cmd.exe" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
17.A.3
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when svchost.exe spawned cmd.exe.
[1]
|
|
|
|