Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.3
|
|
|
A Technique detection named "Powersploit Password Spray" was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
|
|
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Script Logs
-
Process Monitoring
[1]
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Network Monitoring
-
Process Monitoring
[1]
[2]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.1
|
|
|
A General Behavior alert was generated for sensitive administrative shares mapping with unexpected parent.
[1]
[2]
[3]
[4]
|
|
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
16.B.1.3
|
|
|
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
|
|
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]
[2]