Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.3
|
|
|
A Technique detection named "FileDelete" was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
Process Monitoring
-
File Monitoring
[1]
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
Process Monitoring
-
File Monitoring
[1]
[2]
[3]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
9.C.1
|
|
|
Telemetry showed a file deletion event for secure file delete deleting rar.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to Desktop\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
9.C.3
|
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
9.C.4
|
|
|
Telemetry showed a file deletion event on "Windows Command Processor" deleting sdelete64.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "executing a deletion" occurred containing evidence of cmd.exe being run to delete sdelete64.exe.
[1]
|
|
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
[2]
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
[2]
[3]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
[3]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
[2]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
[2]
[3]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.D.1
|
|
|
Telemetry showed the file deletion of old.rar. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
|
|
19.D.2
|
|
|
Telemetry showed the file deletion of recycler.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
[1]
|
|
Empire: 'del C:\\"$\"Recycle.bin\old.rar'
[1]
Empire: 'del recycler.exe'
[1]