Home >
Enterprise >
Participants >
Bitdefender >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
19.A.3
|
Technique Proxy (T1090) |
|
||||||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||||||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.B.8
|
|
|||||||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||||||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]

