Home >
Enterprise >
Participants >
FireEye >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
1.A.5
|
|
|||||||
1.A.6
|
|
|||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
3.B.5
|
|
|||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||
5.C.6
|
|
|||||||
7.A.4
|
|
|||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
11.A.5
|
|
|||||||
11.A.6
|
|
|||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
14.A.3
|
|
|||||||
14.A.5
|
|
|||||||
16.A.7
|
|
|||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.2
|
|
|||||||||||
3.A.2
|
|
|||||||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||||||
4.A.3
|
|
|||||||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||||||
8.B.2
|
|
|||||||||||
8.C.1
|
|
|||||||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||
10.B.3
|
|
|||||||||||
11.A.2
|
|
|||||||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||||||
11.A.10
|
|
|||||||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||||
14.B.6
|
|
|||||||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Deleted rar.exe on disk using SDelete
Criteria
sdelete64.exe deleting the file rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Decoded an embedded DLL payload to disk using certutil.exe
Criteria
certutil.exe decoding kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||
3.A.1.2
|
|
|||||||||||||
5.B.1
|
|
|||||||||||||
16.C.1
|
|
|||||||||||||
16.I.1.2
|
|
|||||||||||||
17.B.1
|
|
|||||||||||||
17.B.2
|
|
|||||||||||||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||||||||||||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||||||||||||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||||||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


[4]


[5]


[6]

