Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.7
|
|
|
|
|
A Tactic detection named "powershell.exe established an outbound connection with 192.168.0.4 to commonly used port 8080 (HTTP Alternative)." was generated when powershell.exe connected to 192.168.0.4 over TCP port 8080.
[1]
[2]
|
|
powershell.exe transmits data to 192.168.0.4 over TCP
-
Process Monitoring
-
Network Monitoring
[1]
powershell.exe transmits data to 192.168.0.4 over TCP
-
Process Monitoring
-
Network Monitoring
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.3
|
|
|
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
|
|
An MSSP detection for "Uncommonly Used Port" was generated due to rcs.3aka3.doc connecting to 192.168.0.5 on port 1234.
[1]
|
|
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Established network channel over port 1234
[1]
APT3
|
The technique was not in scope.
|