Home >
Enterprise >
Participants >
BlackBerry Cylance >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
1.A.5
|
|
|||||||||||
1.A.6
|
|
|||||||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
3.B.5
|
|
|||||||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||||||
5.C.6
|
|
|||||||||||
7.A.4
|
|
|||||||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
11.A.5
|
|
|||||||||||
11.A.6
|
|
|||||||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||||||
14.A.3
|
|
|||||||||||
14.A.5
|
|
|||||||||||
16.A.7
|
|
|||||||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Executed an alternate data stream (ADS) using PowerShell
Criteria
powershell.exe executing the schemas ADS via Get-Content and IEX
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Decoded an embedded DLL payload to disk using certutil.exe
Criteria
certutil.exe decoding kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.