Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red hexagon indicator) for "Credential Dumping" was generated when powershell.exe injected into LSASS. The event was correlated to a parent General detection for User Execution of rcs.3aka.doc.
[1]
[2]
[3]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
[2]
[3]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.2.1
|
|
Specific Behavior
(Tainted)
|
A second Specific Behavior alert was generated for Credential Dumping, which indicated that \"a remote thread in LSASS accessed credential registry keys.\" The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert was generated for Credential Dumping, which indicated \"a DLL was detected as being reflectively loaded in the callstack.\" The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
[1]
[2]
|
General Behavior
(Delayed, Tainted)
|
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection.
[1]
[2]
|
|
Telemetry for the lsass remote thread and DLL loading would be available in a separate view.
[1]
[2]
|
|
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
-
OverWatch is the managed threat hunting service.
[1]
[2]
Cobalt Strike: Built-in hash dump capability executed
-
For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
[1]
[2]