Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "Suspicious Service registration" (medium severity) was generated due to the creation of javamtsup service. This detection was correlated to a parent General detection that rcs.3aka3.doc was identified as a backdoor.
[1]
|
|
Telemetry showed a registry event for the creation of javamtsup service.
[1]
|
|
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
powershell.exe creating the Javamtsup service
[1]
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
powershell.exe creating the Javamtsup service
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.I.1.1
|
|
|
A Specific Behavior alert was generated for the suspicious service registration of AdobeUpdater.
[1]
[2]
[3]
[4]
|
|
Telemetry from CodeRed showed sc.exe execution to remotely create the AdobeUpdater service with a binPath set to run cmd.exe with an argument to execute update.vbs on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper shows the registry keys that were changed to add the new service
[1]
[2]
[3]
[4]
|
|