Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A General detection named "Malicious Process Identified" was generated when cmd.exe spawned from a service executable in C:\Windows\ .
[1]
|
|
16.A.6
|
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe. The event was correlated to a parent General detection for a suspicious process.
[1]
[2]
|
|
A Tactic detection was generated due to PsExec tool detected process created labeled "Lateral Movement with Remote Execution." The event was correlated to a parent detection for "Bypass User Account Control".
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
[2]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
Telemetry showed powershell.exe executing sc.exe to start the AdobeUpdater service on Creeper. The telemetry was tainted by the parent \\"Powershell executed remote commands\\" alert. Telemetry from Creeper also showed services.exe creating cmd.exe, which executed the update.vbs file (showing AdobeUpdater service starting).
[1]
[2]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
-
Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
[1]
[2]