Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
A General detection named "RemCom" was generated when sandbox analysis identified the service executable as RemCom malware.
[1]
|
|
A General detection named "Machine Learning via Cloud-based ML" (High) was generated when the service executable met a high confidence threshold for malicious files.
[1]
|
|
|
|
16.A.6
|
|
|
cmd.exe spawns from a service executable in C:\Windows\
-
Delayed results due to sandbox execution
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
File Monitoring
-
Process Monitoring
[1]
cmd.exe spawns from a service executable in C:\Windows\
[1]
[2]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
-
Windows Registry
-
Process Monitoring
[1]
[2]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed python.exe spawned from PSEXESVC.exe.
[1]
|
|
A Technique detection for "ServiceExecOnSMBFile" was generated due to PsExec running a python.exe remotely.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
Specific Behavior
(Delayed)
|
The OverWatch team sent an email indicating they observed a Specific Behavior because update.vbs executed following the start of the AdobeUpdater service.
[1]
[2]
|
|
Telemetry showed sc.exe executing with command-line arguments to start the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
[1]
[2]
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
-
OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
[1]
[2]
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
[1]
[2]