Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.4
|
|
|
A Tactic detection named "Modify Registry" (Low) was generated when the Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Run Key and Startup Persistence" (Low) was generated when the Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
A General detection named "Registry Activity with REG.exe" (Medium) was generated when command-line activity from reg.exe was detected.
[1]
|
|
10.A.4
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Run Key and Startup Persistence" (Low) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
[2]
[3]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution.
[1]
|
|
Telemetry showed powershell.exe creating the hostui.lnk file in the Startup folder. The event was correlated to a parent General detection for malicious file execution.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (medium severity) for "Shortcut File Written by Suspicious Process" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution.
[1]
|
|
10.B.1
|
|
None
(Delayed (Manual), Host Interrogation)
|
Minimum detection criteria was not met for this procedure.
[1]
|
|
11.A.11
|
|
|
Telemetry showed powershell.exe adding Run key persistence into the Registry
[1]
|
|
A Technique detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry
[1]
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.B.1
|
|
Specific Behavior
(Tainted)
|
A Specific Behavior alert called \"Detected Persistence - Start Folder Persistence\" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert.
[1]
[2]
|
|
Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert.
[1]
[2]
|
|
10.A.1
|
|
|
Telemetry showed the process chain for rundll32.exe execution of update.dat. The telemetry was tainted by the parent alert for \\"RunDLL32 with Suspicious DLL Location.\\"
[1]
|
|
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
[1]
[2]
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
[1]
[2]
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
[1]