Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
|
|
A Technique detection named "Execution - AMSI - Suspicious Windows Script Host Execution" (10/10) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A General detection named "Initial Access - Spearphishing Attachment - Word" (7/10) was generated when wscript.exe spawned unprotected.vbe from winword.exe.
[1]
|
|
A Technique detection named "Execution - Command and Scripting Interpreter Execution" (1/10) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Technique detection named "Initial Access - Word Executing WScript" (9/10) was generated when wscript.exe spawned unprotected.vbe from winword.exe.
[1]
|
|
1.A.7
|
|
|
|
|
A Technique detection named "Execution - AMSI - Suspicious Windows Script Host Execution" (10/10) was generated when wscript.exe executed starter.vbs.
[1]
[2]
|
|
A Technique detection named "Execution - Command and Scripting Interpreter Execution" (1/10) was generated when wscript.exe executed starter.vbs.
[1]
|
|
8.A.1
|
|
|
A Technique detection named "Execution - Command and Scripting Interpreter Execution" (1/10) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
A Technique detection named "Execution - AMSI - Suspicious Windows Script Host Execution" (10/10) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
11.A.4
|
|
|
|
|
A Technique detection named "Defense Evasion - AMSI - Suspicious MSHTA File Write and Execute Behaviors Detected" (10/10) was generated when mshta.exe executed an embedded VBScript payload.
[1]
|
|
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
-
Script Logs
-
Process Monitoring
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes starter.vbs
[1]
[2]
wscript.exe executes starter.vbs
-
Process Monitoring
-
Script Logs
[1]
[2]
wscript.exe executes starter.vbs
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
-
Process Monitoring
-
Script Logs
[1]
[2]
wscript.exe spawns Java-Update.exe
-
Process Monitoring
-
Script Logs
[1]
mshta.exe executes an embedded VBScript payload
-
Script Logs
-
Process Monitoring
[1]
[2]
mshta.exe executes an embedded VBScript payload
-
Script Logs
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.1
|
|
|
A Specific Behavior Alert was generated indicating that powershell.exe was a suspicious child process of wscript.exe.
[1]
[2]
[3]
|
|
A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments.
[1]
[2]
[3]
|
|
The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell).
[1]
[2]
[3]
|
|
Telemetry of a process tree showed powershell.exe execution, including full command-line arguments.
[1]
[2]
[3]
|
|
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
[3]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
[3]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
[3]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
[3]