Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.3
|
|
|
|
|
A Technique detection named "File Deletion" (High) was generated when powershell.exe deleted files from TEMP detected as CMD deleting sensitive documents (T1070).
[1]
[2]
|
|
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
[1]
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
File Monitoring
-
Process Monitoring
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
[1]
|
|
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting cod.3aka3.scr.
[1]
[2]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
4.B.3
|
|
|
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting Draft.Zip.
[1]
[2]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
[1]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
4.B.4
|
|
|
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting SysinternalsSuite.zip.
[1]
[2]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
[1]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
9.C.1
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe.
[1]
|
|
A Technique alert detection (medium severity) called "Sdelete Usage" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe.
[1]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
9.C.2
|
|
|
A Technique alert detection (medium severity) called "Sdelete Usage" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip.
[1]
[2]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
9.C.3
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.
[1]
|
|
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files.
[1]
|
|
9.C.4
|
|
|
Telemetry showed a DeleteOnClose event for cmd.exe removing sdelete64.exe.
[1]
|
|
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
[2]
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
[2]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
[2]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]