Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.A.2
|
|
|
A Technique detection named "Possible keylogging activity" (High) was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API.
[1]
|
|
|
|
A Tactic detection named "Collection" was generated when DefenderUpgradeExec.exe created a system hook.
[1]
|
|
18.A.4
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
-
Process Monitoring
-
System Calls/API Monitoring
[1]
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.3
|
|
|
A Technique alert detection for Input Capture (high severity) was generated due to powershell.exe using APIs that are commonly abused by malicious applications to log keystrokes.
[1]
|
|
Telemetry showed API calls for GetAsyncKeyState. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
|
|
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
[1]
Captured user keystrokes using the GetAsyncKeyState API
powershell.exe executing the GetAsyncKeyState API
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1.1
|
|
Specific Behavior
(Delayed)
|
A delayed Specific Behavior alert was generated on \"Possible keylogging activity\" against explorer.exe.
[1]
[2]
[3]
|
Telemetry
(Configuration Change)
|
Telemetry showed events indicating \"explorer.exe is reading user keystrokes.\"
[1]
[2]
[3]
|
|
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
[1]
[2]
[3]
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
-
The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events.
-
Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection.
[1]
[2]
[3]