Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.1
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Impacket usage" (High) was generated when Python script detected as Impacket.
[1]
|
|
|
|
A Technique detection named " Ntlm hashes in arguments" (High) was generated when NTML hashed were found in arguments, a precursor to pass the hash.
[1]
|
|
psexec.py creates a logon to 10.0.0.4 as user kmitnick
[1]
psexec.py creates a logon to 10.0.0.4 as user kmitnick
-
Process Monitoring
-
Windows Event Logs
[1]
[2]
psexec.py creates a logon to 10.0.0.4 as user kmitnick
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.1
|
|
|
A General alert detection (medium severity) was generated for a suspicious PowerShell command.
[1]
[2]
|
|
Telemetry showed PowerShell executing Invoke-Mimikatz to create and inject a golden ticket into the current session.
[1]
|
|
An MSSP detection occurred containing evidence of Mimikatz being used to execute a golden ticket attack impersonating mscott.
[1]
[2]
|
|
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
[2]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
[1]
[2]
APT3
|
The technique was not in scope.
|