Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
16.A.5
|
|
|
|
|
A Technique detection named "SmbShareAccess" was generated when SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed.
[1]
|
|
psexec.py connects to SMB shares on 10.0.0.4
-
Network Monitoring
-
Process Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135 identified as RPC.
[1]
[2]
|
|
An MSSP detection for "T1077" occurred containing evidence of PsExec64.exe establishing SMB session to Scranton's IPC$ share, and writes PSEXESVC.exe.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "AdminShareAccess" was generated due to PSEXESVC.exe being copied to $ADMIN on Scranton (10.0.1.4). The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
[2]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
[2]
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.2
|
|
|
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
|
|
16.B.1.2
|
|
|
Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
|
|
16.D.1.1
|
|
|
Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
[1]
|
|
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]