Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.3
|
|
|
|
|
A Technique detection named "Suspicous file deletion by powershell.exe" was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
Process Monitoring
-
File Monitoring
[1]
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
-
Process Monitoring
-
File Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting ?cod.3aka.scr.
[1]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.zip.
[1]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip.
[1]
|
|
9.C.1
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of Rar.exe by SDelete64.exe.
[1]
|
|
9.C.2
|
|
|
A Technique alert detection called "file deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip.
[1]
|
|
Telemetry showed file delete event for sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of Desktop\working.zip by SDelete64.exe.
[1]
|
|
9.C.3
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of roaming\working.zip by SDelete64.exe.
[1]
|
|
9.C.4
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe and file deletion event. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of SDelete64.exe.
[1]
|
|
A Technique alert detection called "file deletion T1107" was generated when cmd.exe deleted sdelete.exe.
[1]
|
|
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
[1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
[2]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
[1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.D.1
|
|
|
Telemetry showed the file delete event for old.rar. The telemetry was tainted by a parent alert on wscript.exe.
[1]
|
|
19.D.2
|
|
|
Telemetry showed the file delete event for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe.
[1]
|
|
Empire: 'del C:\\"$\"Recycle.bin\old.rar'
-
The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
[1]
Empire: 'del recycler.exe'
-
The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
[1]