Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.9
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
A Technique detection named "Suspicious Script Execution" (malicious) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
12.A.2
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command and Scripting Interpreter, T1059" was generated when Adb156.exe loaded scrobj.dll and executed sql-rat.js using Jscript.
[1]
|
|
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
-
increased DLL monitoring sensitivity
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
-
increased detection logic sensitivity
[1]