Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.2
|
|
Tactic
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A Tactic detection named "Malicious Macro - Execution" was generated when winword.exe loaded VBE7.DLL and spawned 1-list.rtf, which was identified as possible Execution.
[1]
|
|
11.A.7
|
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "MaliciousMacro - Execution" was generated when a process launched that was related to a malicious macro in a document.
[1]
|
|
winword.exe loads VBE7.DLL
-
System Calls/API Monitoring
-
Process Monitoring
-
DLL Monitoring
-
Increased collection of module load activity
[1]
winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL
[1]
winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL
-
Process Monitoring
-
DLL Monitoring
-
System Calls/API Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|