Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.5
|
|
|
|
|
A Technique detection named "Remote Services (T1021) | Remote Desktop Protocol (T1021.001)" was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
7.B.3
|
|
|
|
|
A Technique detection named "Remote Services (T1021) | Remote Desktop Protocol (T1021.001)" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
19.A.2
|
|
|
|
|
A Technique detection named "Remote Services (T1021) | Remote Desktop Protocol (T1021.001)" was generated when an RDP session was created from itadmin (10.0.1.6) to accounting (10.0.1.7) over port 3389.
[1]
|
|
RDP session from the localhost over TCP port 3389
-
Process Monitoring
-
Network Monitoring
[1]
RDP session from the localhost over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
-
Network Monitoring
-
Process Monitoring
[1]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process Telemetry also showed rdpclip.exe executing on 10.0.0.5 (Conficker).
[1]
[2]
[3]
|
|
10.B.1.2
|
|
|
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. Telemetry also showed a connection over port 3389 to Conficker (10.0.0.5) through rundll32.exe serving as a proxy. The telemetry was tainted by a parent Injected Shellcode alert.
[1]
[2]
[3]
|
|
20.A.1.2
|
|
|
The capability enriched a RDP connection with information that the connection was made to a RDP port, as well as a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol).
[1]
[2]
|
|
Telemetry showed creation of a RDP session on Creeper (10.0.0.4).
[1]
[2]
|
|
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
[1]
[2]
[3]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
[1]
[2]
[3]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
[1]
[2]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
[1]
[2]