Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
17.A.2
|
|
|
srrstr.dll is not the legitimate Windows System Protection Configuration Library
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.A.3
|
|
|
An MSSP detection occurred indicating that accesschk.exe is not the legitimate Sysinternals tool.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Windows process masquerading by an unsigned process" was generated when accesschk.exe was identified as an unsigned executable and the hash did not match the valid accesschk.exe hash. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesschk.exe is not the legitimate Sysinternals tool
[1]
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesschk.exe is not the legitimate Sysinternals tool
[1]
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesschk.exe is not the legitimate Sysinternals tool
[1]
APT3
|
The subtechnique was not in scope.
|