Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.5
|
|
|
A Tactic detection named "Persistence" was generated when powershell.exe executed sdbinst.exe.
[1]
|
|
A Tactic detection named "Persistence" was generated when sdbinst.exe created a new shim database file (.sdb).
[1]
|
|
A Technique detection named "An abnormal installation of a Shim Database (SDB) has been observed" (Medium ) was generated when sdbinst.exe installed a custom application shim database file.
[1]
|
|
A Technique detection named ""ApplicationShimming" malware was detected" was generated when a custom application shim file was identified as malware.
[1]
|
|
A Technique detection named "Anomaly detected in ASEP registry" (Medium) was generated when an Autostart Extensibility Point (ASEP) was set in the Registry, identified as application shimming value name DatabasePath.
[1]
|
|
|
|
20.A.1
|
|
|
A Technique detection named "File associated with possible attack activity" (Low) was generated when AccountingIQ.exe accessed a custom .sdb file that was previously tied to suspicious attack activity.
[1]
|
|
sdbinst.exe installs sdbE376.tmp shim
[1]
sdbinst.exe installs sdbE376.tmp shim
-
File Monitoring
-
Process Monitoring
[1]
sdbinst.exe installs sdbE376.tmp shim
-
Process Monitoring
-
Windows Registry
[1]
sdbinst.exe installs sdbE376.tmp shim
[1]
sdbinst.exe installs sdbE376.tmp shim
[1]
sdbinst.exe installs sdbE376.tmp shim
-
Windows Registry
-
Script Logs
-
Process Monitoring
[1]
[2]
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
The subtechnique was not in scope.
|