Home >
Enterprise >
Participants >
Cybereason >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
19.A.3
|
Technique Proxy (T1090) |
|
||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||
9.B.8
|
|
|||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so detection does not apply.
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so detection does not apply.
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.C.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
1.C.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: DNS (T1071.004) |
|
||||
1.C.1.3
|
|
|||||
6.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
6.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
6.B.1.3
|
Technique Multiband Communication (T1026) |
|
||||
7.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
11.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
11.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
11.B.1.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.1.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.1.4
|
Technique Commonly Used Port (T1043) |
|
||||
16.E.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
Procedure
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Footnotes
- For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.


[2]

