Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
|
|
A Technique detection named "SMB Traffic for Non-Standard Process" (Low) was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
|
|
A Technique detection named "Linux to Windows Lateral Movement via SMB" (Medium) was generated when psexec.py connected to 10.0.0.4 over port 445.
[1]
|
|
16.A.5
|
|
|
|
|
A Technique detection named "RPC traffic from non-standard process" (Low) was generated when paexec.exe communicated over port 135 to 10.0.1.6.
[1]
[2]
|
|
psexec.py connects to SMB shares on 10.0.0.4
-
Network Monitoring
-
Process Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Network Monitoring
-
Process Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Network Monitoring
-
Process Monitoring
[1]
[2]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
Network Monitoring
-
RPC
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
An MSSP detection occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445.
[1]
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection was generated for an executable being copied to a remote host via a share. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
A Technique alert detection for network share access was generated due to remote access to a Windows admin share.
[1]
[2]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.2
|
|
|
A Specific Behavior alert was generated for a net.exe logon attempt to ADMIN$. The alert was tagged with the correct ATT&CK Technique (Windows Admin Shares).
[1]
[2]
[3]
[4]
|
|
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
[1]
[2]
[3]
[4]
|
|
16.B.1.2
|
|
|
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
[1]
|
|
16.D.1.1
|
|
|
Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
[1]
|
|
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]