Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "Credential Dumping" (High) was generated when an unsigned process (smrs.exe) obtained a handle to lsass.exe.
[1]
|
|
A Technique detection named "Credential Dumping" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A General detection named "LsassAccessFromMimikatz" was generated when LSASS process was accessed from the mimikatz hack tool.
[1]
|
|
A General detection named "Machine Learning via Sensor-based ML" (Medium) was generated when smrs.exe met the on-sensor AV's medium confidence threshold for malicious files.
[1]
[2]
|
|
15.A.6
|
|
|
A General detection named "Mimikatz" was generated when sandbox analysis identified samcat.exe as Mimikatz.
[1]
|
|
A Technique detection named "Credential Dumping" (High) was generated when credential-related Registry keys were accessed using an impersonation token by samcat.exe.
[1]
|
|
A General detection named "Machine Learning via Sensor-based ML" (High) was generated when samcat.exe met the on-sensor AV's medium confidence threshold for malicious files.
[1]
|
|
A Technique detection named "Credential Dumping" (High) was generated when samcat.exe opened and read the SAM.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
File Monitoring
-
Process Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
Process Monitoring
-
File Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
System Calls/API Monitoring
-
File Monitoring
-
Process Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
Process Monitoring
-
File Monitoring
[1]
[2]
samcat.exe opens and reads the SAM via LSASS
-
Delayed results due to sandbox execution
[1]
samcat.exe opens and reads the SAM via LSASS
-
Windows Registry
-
System Calls/API Monitoring
-
Process Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
File Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
Windows Registry
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red hexagon indicator) for "Credential Dumping" was generated when powershell.exe injected into LSASS. The event was correlated to a parent General detection for User Execution of rcs.3aka.doc.
[1]
[2]
[3]
|
|
14.B.4
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Credential Dumping" was generated when Mimikatz (m.exe) launched. The detection was correlated to a parent alert for Execution via Powershell.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Credential Dumping" was generated LSASS process was accessed by Mimikatz (m.exe). The detection was correlated to a parent alert for Execution via Powershell.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) called "Machine Learning via Sensor-based ML" was generated when m.exe met machine learning-based on-sensor AV protection's high confidence threshold for malicious files. The detection was correlated to a parent alert for Execution via Powershell.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Credential Dumping" was generated when m.exe read LSASS memory. The detection was correlated to a parent alert for Execution via Powershell.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Credential Dumping" was generated when the encoded powershell payload script launched a mimikatz process (m.exe) . The detection was correlated to a parent alert for Execution via Powershell.
[1]
|
|
16.D.2
|
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when a remote thread was written to LSASS memory by m.exe (mimikatz).
[1]
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when m.exe read LSASS memory.
[1]
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when m.exe (mimikatz) accessed LSASS memory.
[1]
|
|
A General alert detection (orange indicator) called "Credential Dumping" was generated identifying m.exe as Mimikatz.
[1]
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when m.exe allocated executable memory inside of LSASS.
[1]
|
|
A General alert detection (orange indicator) called "Machine Learning via Sensor-based ML" was generated when m.exe met machine learning-based on-sensor AV protection's high confidence threshold for malicious files.
[1]
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when m.exe injected code into the LSASS process.
[1]
|
|
A Technique alert detection (orange indicator) called "Credential Dumping" was generated when a thread was injected into LSASS from a signed executable with untrusted root authority.
[1]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
[2]
[3]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1.1
|
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert was generated for Credential Dumping, which indicated \"a DLL was detected as being reflectively loaded in the callstack.\" The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
|
General Behavior
(Tainted, Delayed)
|
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection.
[1]
|
|
Telemetry showing the lsass handle open and DLL loading would be available in a separate view.
[1]
|
|
5.A.2.1
|
|
Specific Behavior
(Tainted)
|
A second Specific Behavior alert was generated for Credential Dumping, which indicated that \"a remote thread in LSASS accessed credential registry keys.\" The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert was generated for Credential Dumping, which indicated \"a DLL was detected as being reflectively loaded in the callstack.\" The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
|
General Behavior
(Delayed, Tainted)
|
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection.
[1]
[2]
|
|
Telemetry for the lsass remote thread and DLL loading would be available in a separate view.
[1]
[2]
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed
[1]
Cobalt Strike: Built-in Mimikatz credential dump capability executed
-
OverWatch is the managed threat hunting service.
[1]
Cobalt Strike: Built-in Mimikatz credential dump capability executed
-
For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
[1]
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
-
OverWatch is the managed threat hunting service.
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
-
For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
[1]
[2]