Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.10
|
|
|
|
|
A Technique detection named "SSL Connection" (Informational) was generated when wscript.exe connected to 192.168.0.4 over HTTPS.
[1]
|
|
8.A.2
|
|
Telemetry
(Configuration Change (Detection Logic))
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Port-Protocol Mismatches on Non-Standard Port" (Low) was generated when Java-Update.exe connected to 192.168.0.4 over HTTPS protocol (port 80).
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "SSL Connection" (Informational) was generated when Java-Update.exe connected to 192.168.0.4 over HTTPS protocol (port 80).
[1]
|
|
14.A.6
|
|
|
A Technique detection named "SSL Connection" (Informational) was generated when powershell.exe connected to 192.168.0.4 over HTTPS.
[1]
|
|
|
|
16.A.8
|
|
|
|
|
A Technique detection named "SSL Connection" (Informational) was generated when svchost.exe connected to 192.168.0.4 over HTTPS protocol.
[1]
|
|
17.A.5
|
|
|
|
|
A Technique detection named "SSL Connection" (Informational) was generated when rundll32.exe connected to 192.168.0.4 over HTTPS protocol.
[1]
|
|
A Technique detection named "Port-Protocol Mismatches on Non-Standard Port" (Low) was generated when rundll32.exe connected to 192.168.0.4 over HTTPS protocol on port 8080.
[1]
|
|
20.A.3
|
|
|
|
|
A Technique detection named "SSL Connection" (Informational) was generated when rundll32.exe connected to 192.168.0.4 over HTTPS protocol.
[1]
|
|
A Technique detection named "Port-Protocl Mismatches on Non-Standard Port" (Low) was generated when rundll32.exe exchanged data with 192.168.0.4 over HTTPS protocol.
[1]
|
|
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
-
new detection logic was applied.
[1]
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
-
new detection logic was applied for mapping specific techniques.
[1]
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
-
new detection logic was applied for mapping specific techniques.
[1]
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
-
Process Monitoring
-
Network Monitoring
[1]
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
3.B.4
|
|
|
A Technique detection called "Standard Application Layer Protocol" was generated due to the PowerShell process exchanging data with 192.168.0.5 over HTTPS.
[1]
|
|
11.A.14
|
|
|
A Technique detection called "Standard Application Layer Protocol" was generated due to PowerShell making network connection to C2 (192.168.0.4) over HTTPS.
[1]
|
|
An MSSP detection occurred for the network connection over HTTPS.
[1]
|
|
Used HTTPS to transport C2 (192.168.0.5) traffic
Evidence that the network data sent over the C2 channel is HTTPS
[1]
Used HTTPS to transport C2 (192.168.0.4) traffic
Established network channel over the HTTPS protocol
[1]
Used HTTPS to transport C2 (192.168.0.4) traffic
Established network channel over the HTTPS protocol
[1]