Home >
Enterprise >
Participants >
Malwarebytes >
Ingress Tool Transfer (T1105)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.1
|
Tactic Command and Control (TA0011) |
|
||||
3.B.1
|
Tactic Command and Control (TA0011) |
|
||||
4.B.1
|
Tactic Command and Control (TA0011) |
|
||||
4.B.2
|
Tactic Command and Control (TA0011) |
|
||||
5.A.1
|
Tactic Command and Control (TA0011) |
|
||||
5.A.2
|
Tactic Command and Control (TA0011) |
|
||||
5.A.3
|
Tactic Command and Control (TA0011) |
|
||||
5.A.4
|
Tactic Command and Control (TA0011) |
|
||||
5.A.5
|
Tactic Command and Control (TA0011) |
|
||||
7.A.1
|
Tactic Command and Control (TA0011) |
|
||||
7.C.1
|
Tactic Command and Control (TA0011) |
|
||||
7.C.3
|
Tactic Command and Control (TA0011) |
|
||||
9.A.1
|
Tactic Command and Control (TA0011) |
|
||||
9.B.1
|
Tactic Command and Control (TA0011) |
|
||||
10.A.1
|
Tactic Command and Control (TA0011) |
|
||||
10.A.2
|
Tactic Command and Control (TA0011) |
|
||||
12.B.1
|
Tactic Command and Control (TA0011) |
|
||||
13.B.1
|
Tactic Command and Control (TA0011) |
|
||||
15.A.2
|
Tactic Command and Control (TA0011) |
|
||||
15.A.3
|
Tactic Command and Control (TA0011) |
|
||||
16.A.1
|
Tactic Command and Control (TA0011) |
|
||||
16.A.2
|
Tactic Command and Control (TA0011) |
|
||||
17.A.1
|
Tactic Command and Control (TA0011) |
|
||||
19.B.3
|
Tactic Command and Control (TA0011) |
|
||||
19.B.4
|
Tactic Command and Control (TA0011) |
|
||||
20.B.1
|
Tactic Command and Control (TA0011) |
|
||||
20.B.3
|
Tactic Command and Control (TA0011) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1
|
Tactic Command and Control (TA0011) |
|
||||
4.A.1
|
Tactic Command and Control (TA0011) |
|
||||
8.B.1
|
Tactic Command and Control (TA0011) |
|
||||
9.A.1
|
Tactic Command and Control (TA0011) |
|
||||
9.A.2
|
Tactic Command and Control (TA0011) |
|
||||
14.B.3
|
Tactic Command and Control (TA0011) |
|
Procedure
Dropped stage 2 payload (monkey.png) to disk
Criteria
The rcs.3aka3.doc process creating the file monkey.png
Footnotes
- Expanding technique detection for Masquerading for rcs.3aka3.doc shows file write of monkey.png.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria
powershell.exe creating the file SysinternalsSuite.zip
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria
powershell.exe creating the file SysinternalsSuite.zip
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria
The file python.exe created on Scranton (10.0.1.4)
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


[2]


Procedure
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file rar.exe
Procedure
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file sdelete64.exe