Home >
Enterprise >
Participants >
McAfee >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
1.A.5
|
|
|||||||
1.A.6
|
|
|||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
3.B.5
|
|
|||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||
5.C.6
|
|
|||||||
7.A.4
|
|
|||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
11.A.5
|
|
|||||||
11.A.6
|
|
|||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
14.A.3
|
|
|||||||
14.A.5
|
|
|||||||
16.A.7
|
|
|||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.2
|
|
|||||
3.A.2
|
|
|||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||
4.A.3
|
|
|||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
8.B.2
|
|
|||||
8.C.1
|
|
|||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.B.3
|
|
|||||
11.A.2
|
|
|||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
11.A.10
|
|
|||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||
14.B.6
|
|
|||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- The vendor added a new detection for the technique.


Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1.2
|
|
|||||
5.B.1
|
|
|||||
16.C.1
|
|
|||||
16.I.1.2
|
|
|||||
17.B.1
|
|
|||||
17.B.2
|
|
|||||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|