Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.5
|
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
7.B.3
|
|
|
A Technique detection named "llrules" was generated when a cookie was observed in a RDP connection request.
[1]
|
|
A Technique detection named "Lateral Movement - Remove Services" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
A Technique detection named "Anomalous Network Interaction" (Low) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
A Technique detection named "Lateral Movement - Successful RDP Connection" (1/10) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
19.A.2
|
|
|
A Technique detection named "Lateral Movement - Remote Desktop Protocol" (1/10) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
|
|
A Technique detection named "RDP Protocol" (14/100) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
[2]
|
|
A Technique detection named "Lateral Movement - Remote Services" (1/10) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
RDP session from the localhost over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from the localhost over TCP port 3389
-
Process Monitoring
-
Windows Event Logs
-
Network Monitoring
[1]
[2]
RDP session from the localhost over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
[2]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
[1]
[2]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
[3]
|
|
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing.
[1]
[2]
[3]
|
|
10.B.1.2
|
|
|
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
[1]
[2]
|
|
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
[1]
[2]
|
|
20.A.1.2
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism