Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "Sync.Mimikatz_RPM" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A Technique detection named "MiniDumper" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A General detection named "Yara Malware Signature" (High) was generated when smrs.exe was detected as a credential dumper.
[1]
|
|
|
|
15.A.6
|
|
|
A Technique detection named "Behavioral Threat" was generated when a suspicious handle to lsass was detected.
[1]
[2]
|
|
A Technique detection named "Behavioral Threat" (Informational) was generated when a registry query for the SAM hive occured.
[1]
[2]
|
|
A General detection named "YARA Malware Signature" was generated when samcat.exe was identified as a credential dumper.
[1]
|
|
A Technique detection named "Mimikatz LSA Dump" (High) was generated when samcat.exe opened and read lsass.exe.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
Process Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
Process Monitoring
[1]
smrs.exe opens and reads lsass.exe
[1]
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
Process Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
[2]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
Windows Registry
[1]
[2]
samcat.exe opens and reads the SAM via LSASS
-
File Monitoring
-
Process Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
An MSSP detection for "Mimikatz" was received that described PowerShell dumping credentials from LSASS process memory.
[1]
[2]
|
Technique
(Delayed (Processing), Alert)
|
A Technique alert detection (red indicator) called "Credentials in Registry" was generated due to a group owner child process querying the User SAM registry keys. Detection incurred a delay based on additional data processing to generate the behavioral threat.
[1]
[2]
|
|
14.B.4
|
|
|
A General alert was generated identifying m.exe as malware.
[1]
|
|
A Technique alert detection (high severity) for Credential Dumping was generated for PowerShell reading credentials from Lsass memory.
[1]
[2]
[3]
|
|
An MSSP detection contained evidence of the creation of m.exe in the System32 folder.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) called "Command line arguments matching Mimikatz execution" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping. The detection was correlated to a parent alert for a suspicious Powershell process being spawned by explorer.exe.
[1]
|
|
16.D.2
|
|
|
Telemetry showed m.exe injecting a thread into lsass.exe.
[1]
|
|
A Technique alert detection (red indicator) called "Credential Dumping" was generated for m.exe reading lsass.exe process memory.
[1]
[2]
[3]
|
|
A Technique alert detection (red indicator) called "Command line arguments matching Mimikatz execution" was generated for m.exe with command-line arguments indicative of Mimikatz credential dumping.
[1]
|
|
A General alert detection called "heuristic.b.mimikatz_lsadump_inject" was generated for possible Mimikatz activity.
[1]
|
|
An MSSP detection contained evidence of Mimikatz command-line arguments to dump credentials.
[1]
|
|
A General alert detection (red indicator) was generated for a rare child process spawned from wsmprovhost.exe.
[1]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
[2]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
[3]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
-
According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware.
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
-
According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware.
[1]
[2]
[3]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
-
According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware.
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1.1
|
|
|
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe to dump passwords. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
[1]
|
|
5.A.2.1
|
|
|
A Specific Behavior alert was generated for svchost dumping credentials via the Registry. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
[1]
[2]
|
|
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
[1]
[2]
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed
-
Vendor stated the capability would have prevented this behavior.
[1]
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]