Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.4
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Creation of an Archive Via 7zip Command Line" (Informational) was generated when 7za.exe created C:\Users\Public\log.7z.
[1]
|
|
7za.exe creates C:\Users\Public\log.7z
-
File Monitoring
-
Process Monitoring
[1]
7za.exe creates C:\Users\Public\log.7z
-
new detection logic was applied for mapping specific techniques.
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
|
|
An MSSP detection occurred showing evidence of powershell.exe compressing via Compress-Archive.
[1]
|
|
2.A.5
|
|
|
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc.
[1]
|
|
An MSSP detection occurred for PowerShell storing files in a zip file.
[1]
|
|
7.B.2
|
|
|
Telemetry showed the file create event for OfficeSupplies.7z.
[1]
|
|
An MSSP detection occurred containing evidence of the OfficeSupplies.7z file create.
[1]
|
|
7.B.3
|
|
|
An MSSP detection occurred containing evidence that the 7z file was password protected.
[1]
|
|
9.B.6
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for service execution on python.exe.
[1]
|
|
A MSSP detection occurred for rar.exe executing with command line arguments.
[1]
|
|
9.B.7
|
|
|
A MSSP detection occurred for Data Compressed generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression.
[1]
|
|
Telemetry showed powershell.exe executing rar.exe. The detection was correlated to a parent alert for service execution on python.exe.
[1]
|
|
17.C.1
|
|
|
Telemetry showed PowerShell loading a DLL associated with compression and the subsequent creation of the tmp folder (identified as a ZIP).
[1]
|
|
An MSSP detection occurred containing evidence of data compression.
[1]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]