Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Unknown service under systemroot" (High) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
A Technique detection named "Process started by services responding to rpc" (Info) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
16.A.6
|
|
|
A Technique detection named "Remote execution using paexec" (Medium) was generated when Windows service started PAExec-{PID}-HOTELMANAGER.exe.
[1]
|
|
A Technique detection named "Services by detected process chain" (Low) was generated when Windows service started PAExec-{PID}-HOTELMANAGER.exe.
[1]
|
|
|
|
A Technique detection named "Unknown service under system root" (Low) was generated when Windows service started PAExec-{PID}-HOTELMANAGER.exe.
[1]
|
|
A General detection named "Detected process tree started by rpc responder" (Medium) was generated when Windows service started PAExec-{PID}-HOTELMANAGER.exe.
[1]
|
|
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
Process Monitoring
-
Network Monitoring
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
An MSSP detection occurred containing evidence of PSEXESVC.exe executing python.exe.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (low severity) for "Service Execution" was generated due to PsExec running a process remotely. The event was correlated to parent alert for Abnormal File Modification.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
[2]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
[3]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
[3]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
[3]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]
[3]