Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
A Tactic detection named "PossibleReverseShell - Lateral Movement" was generated when python connects to port 445 on 10.0.0.4.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "SMBConnection - T1077 Windows Admin Shares" was generated when psexec.py connected to SMB shares on bankdc (10.0.0.4).
[1]
|
Telemetry
(Configuration Change (Detection Logic))
|
|
|
16.A.5
|
|
|
A Technique detection named "SmbTreeConnection - T1021.002 SMB/Windows Admin Shares" (Info) was generated when an SMB session was created from hotelmanager (10.0.1.5) to itadmin (10.0.1.6) over port 445 with admin shares accessed.
[1]
|
|
A General detection named "SMB Suspicious Write - Lateral Movement" (Low) was generated when paexec.exe wrote PAExec-{PID}-HOTELMANAGER.exe to \\10.0.1.6\admin$.
[1]
|
|
|
|
psexec.py connects to SMB shares on 10.0.0.4
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
File Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
Network Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
A Technique alert detection was generated for PsExec64.exe writing a file to a remote admin share through the SMB protocol.
[1]
|
|
A Technique alert detection for Windows Admin Shares was generated for PSExec using credentials to execute a remote command.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]