Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
A Technique detection named "python3.6 communicated over SMB" was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
[2]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote command launched" (Medium) was generated when a remote command was executed from a Linux device (10.0.0.7) to a Windows device (10.0.0.4).
[1]
|
|
16.A.5
|
|
|
A Technique detection named "Possible lateral movement involving a suspicious file transfer over SMB" (Medium) was generated when an SMB session was established from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445.
[1]
|
|
A Technique detection named "File dropped and launched from remote location" (Medium) was generated when a file was copied from 10.0.1.5 to 10.0.1.6 over SMB.
[1]
|
|
|
|
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Network Monitoring
[1]
[2]
psexec.py connects to SMB shares on 10.0.0.4
-
Process Monitoring
-
Windows Event Logs
[1]
[2]
psexec.py connects to SMB shares on 10.0.0.4
-
Windows Event Logs
-
Process Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
File Monitoring
-
Network Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
File Monitoring
-
Network Monitoring
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Network Monitoring
-
File Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP 135.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.2
|
|
Specific Behavior
(Delayed)
|
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
|
|
Telemetry showed repeated logon attempts to ADMIN$ via net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
[1]
[2]
[3]
[4]
[5]
|
|
16.B.1.2
|
|
Specific Behavior
(Delayed)
|
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
|
|
16.D.1.1
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
|
|
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
-
The alert spans multiple login attempts.
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
[3]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]