Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
|
A General detection named "Execution of Unrecognized Software Allowed" was generated when the service executable was executed.
[1]
|
|
A General detection named "Suspicious Files Detected in Windows Folder" (Low) was generated when the service executable was deemed suspicious.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Execution of CMD from a Service" (Informational) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
A General detection named "New Created Service Found in Event Log" (Low) was generated when the service executable was created.
[1]
|
|
16.A.6
|
|
|
|
|
A General detection named "SHELMA - SMB1" (High) was generated when hollow.exe was detected as malicious.
[1]
|
|
A General detection named "New Service Creation via Registry" (Informational) was generated when PAExec-{10732}-HOTELMANAGER.exe as added as a new service.
[1]
|
|
A Technique detection named "PAEXEC - SMB2" (Low) was generated when the connection genereated from PAExec was used for service execution.
[1]
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
new detection logic was applied for mapping specific techniques.
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
A Technique alert detection (high severity) for "Service Execution" was generated due to PSEXESVC.exe executing python.exe.
[1]
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
10.A.1
|
|
|
Telemetry showed javamtsup.exe with parent process services.exe.
[1]
|
|
An MSSP detection occurred for services.exe accessing javamtsup.exe.
[1]
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
[1]