Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.5
|
|
|
|
|
A Technique detection named "Remote Desktop Protocol" (High) was generated when a logon event by kmitnick was detected as an RDP Login (T1076).
[1]
|
|
A General detection named "Remote Desktop Protocol" (Medium) was generated when plink.exe connected from localhost over port 3389 detected as GUARD: Possible Plink RDP Tunneling.
[1]
[2]
|
|
7.B.3
|
|
|
|
|
A Technique detection named "Lateral Movement" (High) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389 detected as RDP Destination Port (T1021).
[1]
|
|
19.A.2
|
|
|
|
|
A Technique detection named "Remote Desktop Protocol" (Medium) was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389 detected as GUARD: Outbound RDP Connections.
[1]
|
|
RDP session from the localhost over TCP port 3389
[1]
RDP session from the localhost over TCP port 3389
[1]
RDP session from the localhost over TCP port 3389
[1]
[2]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|