Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.7
|
|
|
A Technique detection named "Metasploit (Payload) - RC4 Encrypted Reverse TCP" (Medium) was generated when powershell.exe connected to 192.168.0.4 over TCP port 8080.
[1]
|
|
|
|
powershell.exe transmits data to 192.168.0.4 over TCP
[1]
powershell.exe transmits data to 192.168.0.4 over TCP
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on port 1234.
[1]
|
|
An MSSP detection occurred for rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
|
|
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]