Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.3
|
|
|
A Technique detection was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
File Monitoring
-
Process Monitoring
[1]
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
Process Monitoring
-
File Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
A Technique alert detection (red indicator) was generated due to the use of SDelete to delete rcs.3aka3.doc.
[1]
[2]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The event was correlated to a parent detection on "Bypass User Account Control".
[1]
[2]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The event was correlated to a parent detection on "Bypass User Account Control".
[1]
[2]
|
|
A Technique alert detection (red indicator) was generated due to the use of SDelete to delete rcs.3aka3.doc.
[1]
[2]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The event was correlated to a parent detection on "Bypass User Account Control".
[1]
[2]
|
|
A Technique alert detection (red indicator) was generated due to the use of SDelete to delete SysinternalsSuite.zip.
[1]
[2]
|
|
9.C.1
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The event was correlated to parent alert on New Windows Service Created.
[1]
[2]
|
|
A Technnique alert detection (red indicator) called "Sdelete Tool Ran" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe.
[1]
[2]
|
|
An MSSP detection contained evidence of the deletion of Rar.exe by SDelete.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. The event was correlated to parent alert on New Windows Service Created.
[1]
[2]
|
|
A Technnique alert detection (red indicator) called "Sdelete Tool Ran" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip.
[1]
[2]
|
|
An MSSP detection contained evidence of the deletion of working.zip by SDelete.
[1]
|
|
9.C.3
|
|
|
A Technnique alert detection (red indicator) called "Sdelete Tool Ran" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe.
[1]
|
|
An MSSP detection contained evidence of the deletion of working.zip by SDelete.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The event was correlated to parent alert on New Windows Service Created.
[1]
|
|
9.C.4
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe and file deletion event. The event was correlated to parent alert on New Windows Service Created.
[1]
|
|
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
[2]
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
[2]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
[2]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
[2]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
[2]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
[2]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
[2]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
[2]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.D.1
|
|
|
Telemetry showed powershell.exe deleting old.rar from the Recycle Bin. The telemetry was tainted by the parent \\"PowerShell executed encoded commands\\" alert.
[1]
|
|
19.D.2
|
|
|
Telemetry showed powershell.exe deleting recycler.exe. The telemetry was tainted by the parent \\"PowerShell executed encoded commands alert\\".
[1]
|
|
Empire: 'del C:\\"$\"Recycle.bin\old.rar'
-
Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
[1]
Empire: 'del recycler.exe'
-
Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
[1]