Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.3
|
|
|
A General detection named "Powerview cmdlet usage" (High ) was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
|
|
A General detection named "Suspicious network connection from detected process" (Low) was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Process Monitoring
-
Script Logs
[1]
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Process Monitoring
-
Network Monitoring
-
Script Logs
[1]
[2]
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Process Monitoring
-
Network Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.1
|
|
|
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
|
|
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying.
[1]
|
|
16.B.1.3
|
|
|
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick.
[1]
|
|
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
-
Screenshot is not available due to sensitivity of rule logic.
[1]
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
[1]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
-
Screenshot is not available due to sensitivity of rule logic.
[1]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]