Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.A.2
|
|
|
Telemetry showed powershell.exe calling the NtUserGetClipboardData API. The detection was correlated to a parent alert for malicious file execution.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (low severity) for "ATT&CK T1115 Clipboard Data" was generated for powershell.exe calling the NtUserGetClipboardData API. The event was correlated to a parent General detection for malicious file execution.
[1]
|
|
Captured clipboard contents using PowerShell
powershell.exe executing Get-Clipboard
[1]
Captured clipboard contents using PowerShell
powershell.exe executing Get-Clipboard
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
12.E.1.5
|
|
|
Telemetry showed the creation of a PowerShell sub-process and decoded the command within the capability to show Windows.Clipboard (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Clipboard Contents was observed.
[1]
[2]
|
|
Empire: WinEnum module included enumeration of clipboard contents
-
Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
[1]
[2]