Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.4
|
|
|
|
|
A Tactic detection named "DataFromLocalFileSystemOpen" was generated when 7za.exe created C:\Users\Public\log.7z.
[1]
|
|
7za.exe creates C:\Users\Public\log.7z
-
File Monitoring
-
Process Monitoring
[1]
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "Data Compressed. MITRE Exfiltration {T1002}" was generated on powershell.exe compressing via Compress-Archive. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
[2]
|
|
An MSSP detection occurred for powershell.exe compressing via Compress-Archive.
[1]
[2]
[3]
|
|
2.A.5
|
|
|
An MSSP detection for the file creation of Draft.zip was received. The alert stated that "C:\Users\pam\AppData\Roaming\Draft.zip" file was created.
[1]
|
|
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
7.B.2
|
|
|
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "exfiltrate" occurred containing evidence of OfficeSupplies.7z being created.
[1]
|
|
7.B.3
|
|
Telemetry
(Configuration Change (UX), Correlated)
|
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "Exfiltrate" occurred containing evidence of Compress-7zip compressing and encrypting the download directory with 7z using the password "lolol."
[1]
|
|
9.B.6
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1022" occurred containing evidence of rar.exe being executed with an encryption password parameter passed.
[1]
|
|
9.B.7
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1002" occurred containing evidence of powershell.exe executing rar.exe.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection called "Compression" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
17.C.1
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "Data Compressed" was generated due to an entropy calculation of WindowsParentalControlMigration.tmp. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell compressing collection via the ZipFile.CreateFromDirectory .NET method. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1002" occurred containing evidence of "zip" function compressing collection via ZipFile.CreateFromDirectory .NET method.
[1]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
-
A UX Configuration Change was made to bring PowerShell script block logs into the user interface.
[1]
[2]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
[2]
[3]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
-
A UX Configuration Change was made to bring PowerShell script block logs into the user interface.
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
-
A UX Configuration Change was made to bring PowerShell script block logs into the user interface.
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.1.1
|
|
|
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
|
|
19.B.1.2
|
|
|
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
|
|
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file