Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
A Technique detection named "Service execution using PSExec" was generated when when a service was executed using a method similar to PSExec.
[1]
|
|
|
|
A Technique detection named "Service Execution" was generated when a service executable was spawned by services.exe.
[1]
|
|
16.A.6
|
|
|
cmd.exe spawns from a service executable in C:\Windows\
-
Named Pipes
-
Process Monitoring
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
-
The malicious Python process would have been blocked by MVISION Endpoint by a Real Protect machine learning model based on process behavior.
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
[1]
[2]
|
|
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
[1]
[2]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]