Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
A General detection named "Antimalware detected wscript.exe executed with a suspicious command line - T1059 Command and Scripting Interpreter" (High) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
A Technique detection named "Microsoft Office Suspicious Child - T1059.005 Visual Basic" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
1.A.7
|
|
|
A Technique detection named "SuspiciousProcessChain - T1059.005 Visual Basic" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
A General detection named "Antimalware detected wscript.exe executed a suspicious command line" (High) was generated when wscipt.exe executed starter.vbs.
[1]
|
|
8.A.1
|
|
|
A Technique detection named "SuspiciousComObjectUsed - T1059.005 Visual Basic" (Medium) was generated when wscript.exe used a suspicious COM object in the execution of Java-Update.vbs.
[1]
|
|
|
|
A Technique detection named "WscriptProcessExecuted - T1059.005 Visual Basic" was generated when wscript.exe executed Java-Update.vbs and spawned Java-Update.exe.
[1]
|
|
11.A.4
|
|
|
|
|
A Technique detection named "Antimalware detected mshta.exe executed a suspicious command line - T1059 Command and Scripting Interpeter" (High) was generated when mshta.exe executed an embedded VBScript payload.
[1]
|
|
wscript.exe executes unprotected.vbe
-
Process Monitoring
-
File Monitoring
[1]
wscript.exe executes unprotected.vbe
[1]
[2]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes starter.vbs
[1]
wscript.exe executes starter.vbs
[1]
[2]
wscript.exe executes starter.vbs
[1]
wscript.exe spawns Java-Update.exe
-
Process Monitoring
-
System Calls/API Monitoring
[1]
wscript.exe spawns Java-Update.exe
[1]
wscript.exe spawns Java-Update.exe
[1]
mshta.exe executes an embedded VBScript payload
[1]
mshta.exe executes an embedded VBScript payload
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|