Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.A.2
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "POTENTIAL KEYLOGGER OUTPUT" was generated when DefenderUpgradeExec.exe wrote to klog2.txt which contained "[ENTER]".
[1]
|
|
18.A.4
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
File Monitoring
-
Process Monitoring
[1]
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.3
|
|
|
Telemetry showed PowerShell calling the GetAsyncKeyState API.
[1]
|
General
(Alert, Configuration Change (Detections))
|
A General alert detection called "PowerShell Loading User32.dll" was generated due to powershell.exe loading user32.dll, indicating possible Input Capture.
[1]
|
|
An MSSP detection occurred containing evidence of keylogging.
[1]
|
|
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
-
The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie