Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.5
|
|
|
|
|
A Technique detection named "Sucessful inbound RDP connection from ::1" was generated when an RDP session was established from the localhost over TCP port 3389.
[1]
|
|
7.B.3
|
|
|
A Technique detection named "mstsc.exe established an outbound connection" was generated when an RDP session was established from 10.0.0.4 to 10.0.0.5 over TCP port 3389.
[1]
|
|
|
|
A Technique detection named "Successful inbound RDP connection" was generated when an RDP session was established from 10.0.0.4 to 10.0.0.5 over TCP port 3389.
[1]
|
|
A Technique detection named "kmitnick connected to the device through a Remote Desktop session" was generated when an RDP session was established by user kmitnick.
[1]
|
|
19.A.2
|
|
|
A Technique detection named "kmitnick connected to the device through a Remote Desktop session from 10.0.1.6" was generated when user kmitnick logged on to accounting (10.0.1.7) using a Remote Desktop session.
[1]
|
|
|
|
A Technique detection named "Remote Desktop session" (Medium) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
A Technique detection named "Successful inbound RDP connection from 10.0.1.6" was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
RDP session from the localhost over TCP port 3389
[1]
RDP session from the localhost over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
-
Windows Event Logs
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
-
Windows Event Logs
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George.
[1]
[2]
[3]
[4]
|
|
10.B.1.2
|
|
|
Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe.
[1]
|
|
20.A.1.2
|
|
|
Telemetry showed creation of a terminal services session on Creeper from CodeRed with corresponding logon by Kmitnick.
[1]
[2]
|
|
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
[1]
[2]