Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
17.A.1
|
|
|
Telemetry showed outlook.exe spawning from svchost.exe, which is indicative of programmatic access to Outlook emails.
[1]
|
General
(Configuration Change (Detections), Alert)
|
A General alert detection called "Unusual Outlook Parent Process" was generated due to Outlook being launched by a process other than explorer.exe.
[1]
|
|
An MSSP detection contained evidence of PowerShell collected email information from Outlook.
[1]
|
|
Dumped messages from the local Outlook inbox using PowerShell
outlook.exe spawning from svchost.exe or powershell.exe
[1]
Dumped messages from the local Outlook inbox using PowerShell
outlook.exe spawning from svchost.exe or powershell.exe
-
The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
Dumped messages from the local Outlook inbox using PowerShell
outlook.exe spawning from svchost.exe or powershell.exe
[1]
APT3
|
The technique was not in scope.
|