Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
15.A.6
|
|
|
A General detection named "File executed in malware only location" (High) was generated when samcat.exe was executed from a folder commonly used by malware.
[1]
|
|
A Technique detection named "Lsass handle opened" (Info) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
smrs.exe opens and reads lsass.exe
samcat.exe opens and reads the SAM via LSASS
[1]
samcat.exe opens and reads the SAM via LSASS
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.4
|
|
|
An MSSP detection occurred containing evidence of Mimikatz execution.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (medium severity) called "Password Dumper Executed" was generated due to a known password hash dumper running. This detection was correlated to a parent alert for privilege escalation.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (high severity) called "Mimikatz command line parameters" was generated due to m.exe executing with command-line arguments indicative of Mimikatz credential dumping. This detection was correlated to a parent alert for privilege escalation.
[1]
|
|
16.D.2
|
|
|
An MSSP detection occurred containing evidence of Mimikatz dumping the KRBTGT hash.
[1]
[2]
|
|
Telemetry showed m.exe injecting a thread into lsass.exe.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (high severity) for "Credential Dumping" was generated due to Mimikatz command-line parameters being executed. This event was correlated to a parent detection for privilege escalation.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (high severity) for Credential Dumping was generated due to a known password dumper being executed. This event was correlated to a parent detection for privilege escalation.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (high severity) for "Credential Dumping" was generated due to lsass memory dump. This detection was correlated to a parent detection for privilege escalation.
[1]
|
|
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed