Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Services - SSH" (Medium) was generated when pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Services - SSH" (Medium) was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
5.C.2
|
|
|
A Technique detection named "Windows Admin Shares" (High) was generated when the Service Control Manager executed a file written by SMB.
[1]
[2]
|
|
|
|
7.A.5
|
|
|
7.B.3
|
|
|
A Technique detection named "LateralMovementUserLogoninteractive" was generated when a logon event by kmitnick was detected as an RDP Login from a host exhibiting suspicious behavior.
[1]
|
|
A Tactic detection named "Lateral Movement" was generated when an authenticated network connection occurred from bankdc (10.0.0.4) to cfo (10.0.0.5).
[1]
[2]
|
|
|
|
16.A.5
|
|
|
A Technique detection named "Windows Admin Shares" (High) was generated when the Service Control Manager executed a file written by SMB.
[1]
|
|
|
|
19.A.2
|
|
|
A Technique detection named "Remote Services" was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7).
[1]
|
|
A Tactic detection named "Lateral Movement" was generated when an authenticated network connection was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
|
|
Pscp.exe connects over SCP (port 22) to 10.0.0.7
-
Network Monitoring
-
Process Monitoring
[1]
[2]
Pscp.exe connects over SCP (port 22) to 10.0.0.7
-
Process Monitoring
-
Network Monitoring
[1]
plink.exe connects over SSH (port 22) to 10.0.0.7
-
Process Monitoring
-
Network Monitoring
[1]
plink.exe connects over SSH (port 22) to 10.0.0.7
-
Network Monitoring
-
Process Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
[2]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
[2]
RDP session from the localhost over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Process Monitoring
-
Windows Event Logs
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
-
Windows Event Logs
[1]
[2]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
Network Monitoring
-
Windows Event Logs
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
[2]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Windows Event Logs
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Windows Event Logs
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.A.2
|
|
|
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port 5985. The event was correlated to a parent General detection for user execution of rcs.3aka.doc.
[1]
|
|
8.C.2
|
|
|
A Technique alert detection (yellow indicator) called "Windows Admin Shares" was generated when python.exe was copied to Scranton via SMB.
[1]
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135.
[1]
[2]
|
|
16.C.1
|
|
|
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
A Technique detection called "GenericWinRMLateralMovement" was generated when powershell.exe executed Invoke-WinRMSession to connect to remote host NewYork (10.0.0.4) with credentials for user MScott. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
20.B.2
|
|
|
A Technique alert detection (red indicator) called "Execution via Windows Remote Management" was generated for WinRM execution based on the WSMProvHost process on the remote host Scranton (10.0.1.4).
[1]
|
|
Telemetry showed PowerShell with an open network connection to the remote host Scranton (10.0.1.4) over port 5985.
[1]
|
|
A Technique detection called "GenericWinRMLateralMovement" was generated based on PowerShell executing the Enter-PSSession cmdlet to open a network connection to the remote host Scranton (10.0.1.4).
[1]
|
|
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
[2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
-
All activity associated with an alert is grouped and correlated via the relevant detection tree.
[1]
[2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
-
All activity associated with an alert is grouped and correlated via the relevant detection tree.
[1]
[2]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
General Behavior
(Delayed)
|
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts.
[1]
[2]
[3]
|
|
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389.
[1]
[2]
[3]
|
|
10.B.1.2
|
|
General Behavior
(Delayed)
|
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts.
[1]
[2]
[3]
|
|
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user.
[1]
[2]
[3]
|
|
16.A.1.2
|
|
General Behavior
(Delayed, Tainted)
|
OverWatch generated General Behavior alerts indicating the net use commands attempting logon to ADMIN$ shares were suspicious. The alerts were tainted by a parent powershell.exe detection.
[1]
[2]
[3]
|
General Behavior
(Delayed)
|
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
[3]
|
|
Telemetry showed repeated logon attempts via net.exe with command-line arguments targeting ADMIN$ shares on the machines 10.0.1.4 (Morris) and 10.0.1.6 (Nimda).
[1]
[2]
[3]
|
|
16.B.1.2
|
|
General Behavior
(Tainted, Delayed)
|
OverWatch generated a General Behavior alert indicating the successful net use connection to ADMIN$ was suspicious. The alert was tainted by a parent powershell.exe detection.
[1]
[2]
[3]
|
General Behavior
(Delayed)
|
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
[3]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect to ADMIN$ on 10.0.0.5 (Conficker) as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a previous powershell.exe detection.
[1]
[2]
[3]
|
|
16.D.1.1
|
|
General Behavior
(Delayed)
|
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.
[1]
[2]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on 10.0.0.4 (Creeper) as the user Kmitnick. The telemetry was tainted by a previous powershell.exe detection.
[1]
[2]
|
|
20.A.1.2
|
|
|
Telemetry showed a logon type 10 (remote interactive logon) for Kmitnick on Creeper, indicating a RDP session was established and logged into.
[1]
|
|
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
[3]
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
[3]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
[3]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
-
OverWatch is the managed threat hunting service.
[1]
[2]
[3]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
[3]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
-
OverWatch is the managed threat hunting service.
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
[1]