Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.3
|
|
|
A General detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
|
|
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Script Logs
-
Process Monitoring
[1]
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Process Monitoring
-
Network Monitoring
[1]
[2]
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.1
|
|
Specific Behavior
(Delayed)
|
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
[1]
[2]
[3]
[4]
[5]
[6]
|
|
16.B.1.3
|
|
Specific Behavior
(Delayed)
|
A Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts.
[1]
[2]
[3]
|
|
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent alert on PowerShell script with suspicious content).
[1]
[2]
[3]
|
|
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
-
The alert spans multiple login attempts.
[1]
[2]
[3]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]
[2]
[3]