Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.4
|
|
|
|
|
A Technique detection named "Added content to registry executed at next Windows logon" (Blue) was generated when the Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
|
|
A Technique detection named "Detected suspicious file extension in autorun registry" (Orange) was generated when a .vbs file (Java-Update.vbs) was set to execute from a Registry run key.
[1]
[2]
[3]
|
|
10.A.4
|
|
|
A Technique detection named "T1060 New Startup Program Creation" (Critical) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
A Tactic detection named "Installed MSI package in non-interactive or quiet mode" was generated when msiexec.exe was used to quietly install TightVNC.
[1]
|
|
|
|
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
[3]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Windows Registry
-
Process Monitoring
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
|
A Technique alert detection (yellow indicator) called "Registry Run Keys / Startup Folder" was generated due to an application being set to run when Windows starts.
[1]
|
|
Telemetry showed the creation of hostui.lnk in the Startup folder. The event was correlated to a parent alert for a suspicious PowerShell.
[1]
|
|
10.B.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
11.A.11
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.B.1
|
|
|
A Specific Behavior alert was generated for \"An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder\" for persistence based on pdfhelper.cmd. The alert was tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder).
[1]
|
|
10.A.1
|
|
|
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder, then update.dat via rundll32.exe.
[1]
|
|
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
[1]
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
[1]