Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.8
|
|
|
|
Technique
(Configuration Change (Data Sources), Configuration Change (Detection Logic))
|
A Technique detection named "Potential task scheduling using Mshta" (Threat) was generated when mshta.exe loaded taskschd.dll and created a scheduled task.
[1]
[2]
|
|
12.A.1
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious system process executed from a Scheduled Task" (Warning) was generated when a previously scheduled task executed an unpopular process (Adb156.exe).
[1]
[2]
|
|
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Windows Registry
-
Process Monitoring
-
File Monitoring
[1]
[2]
[3]
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
-
Process Monitoring
-
DLL Monitoring
-
Increased collection of module load activity
[1]
[2]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
[2]
svchost.exe (-s Schedule) spawns Adb156.exe
[1]
[2]