Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.7
|
|
|
|
|
A Technique detection named "DataExfiltration" was generated when powershell connected to 192.168.0.4 over TCP. (tactic named but correct TID is present).
[1]
|
|
powershell.exe transmits data to 192.168.0.4 over TCP
[1]
powershell.exe transmits data to 192.168.0.4 over TCP
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234.
[1]
|
|
An MSSP detection was generated for rcs.3aka3.doc connecting to 192.168.0.5 on port 1234.
[1]
|
|
A Technique alert detection for "T1065 - Uncommonly Used Port" was generated for rcs.3aka3.doc due to TCP port 1234 being used.
[1]
|
|
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
APT3
|
The technique was not in scope.
|