Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A General detection named "W32.File.MalParent" (Medium) was generated when service executable in C:\Windows\ was detected as W32.File.MalParent.
[1]
|
|
A General detection named "W32.RemoteAdmin:SPR.22lu.1201" (Medium) was generated when service executable in C:\Windows\ was detected as W32.RemoteAdmin:SPR.22lu.1201.
[1]
|
|
16.A.6
|
|
|
|
|
A General detection named "Generic.Exploit.Metasploit" (Medium ) was generated when PAExec_Move0.dat and hollow.exe were detected as Metasploit.
[1]
[2]
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]