Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
|
|
A Technique detection named "T1059" was generated when an Office application launched a child process that can execute scripts.
[1]
|
|
A Technique detection named "Command and Scripting Interpreter" (Yellow) was generated when unprotected.vbe was spawned from wscript.exe.
[1]
[2]
|
|
A Technique detection named "Scripting" was generated when scripting content was found during sandbox analysis of 1-list.rtf.
[1]
|
|
1.A.7
|
|
|
|
|
A Tactic detection named "Execution" (Orange) was generated when wscript.exe executed starter.vbs.
[1]
|
|
8.A.1
|
|
|
A Technique detection named "Executed script with wscript" was generated when wscript.exe spawned Java-Update.exe.
[1]
[2]
|
|
|
|
11.A.4
|
|
|
A Technique detection named "Executed suspicious JavaScript or VBScript via mshta application" (Orange) was generated when suspicoius script was executed via mshta.exe.
[1]
|
|
A Technique detection named "MSHTA acting as VBScript interpreter" (Yellow) was generated when mshta.exe was used to execute in-line VBScript.
[1]
|
|
|
|
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
wscript.exe executes unprotected.vbe
[1]
[2]
wscript.exe executes unprotected.vbe
-
Delayed results due to sandbox execution
[1]
wscript.exe executes starter.vbs
[1]
[2]
[3]
wscript.exe executes starter.vbs
[1]
wscript.exe spawns Java-Update.exe
-
File Monitoring
-
Process Monitoring
[1]
[2]
wscript.exe spawns Java-Update.exe
[1]
[2]
mshta.exe executes an embedded VBScript payload
[1]
mshta.exe executes an embedded VBScript payload
[1]
mshta.exe executes an embedded VBScript payload
-
Process Monitoring
-
DLL Monitoring
[1]
[2]
[3]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.1
|
|
|
A Specific Behavior alert was generated for decoding and running encoded scripting sources from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Defense Evasion, Execution) and Techniques (PowerShell).
[1]
[2]
|
|
A Specific Behavior alert was generated for PowerShell commands being executed from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Execution) and Techniques (PowerShell).
[1]
[2]
|
|
A Specific Behavior alert was generated for PowerShell execution with a very long command line. The alert was tagged with correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
[1]
[2]
|
|
A Specific Behavior alert was generated for the VBScript interpreter launching a suspicious PowerShell process. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
[1]
[2]
|
|
The capability enriched powershell.exe with the correct ATT&CK Tactic (Execution) and Techniques (PowerShell) and a suspicious indicator that a PowerShell command was executed.
[1]
[2]
|
|
The capability enriched wscript.exe with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell) and a suspicious indicator that the VBScript interpreter was executed.
[1]
[2]
|
|
Telemetry showed wscript.exe (executing autoupdate.vbs) then spawning powershell.exe. The telemetry was tainted by a trace detection on wscript.exe.
[1]
[2]
|
|
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
[1]
[2]