Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
A Technique detection named "Credential Dumping" was generated when smrs.exe attempted to load DLLs and access lsass.
[1]
|
|
A Technique detection named "Credential Dumping" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
15.A.6
|
|
|
|
|
A General detection named "Malicious Mimikatz" was generated when powershell.exe executed malicious file that was detected as Possible Mimikatz.
[1]
|
|
A Technique detection named "Credential Dumping" was generated when samcat.exe attempted to load DLLs and access lsass that was detected as Possible Mimikatz.
[1]
|
|
smrs.exe opens and reads lsass.exe
-
DLL Monitoring
-
File Monitoring
-
Process Monitoring
[1]
smrs.exe opens and reads lsass.exe
-
DLL Monitoring
-
Process Monitoring
-
File Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
-
DLL Monitoring
-
Process Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
-
Process Monitoring
-
DLL Monitoring
[1]
samcat.exe opens and reads the SAM via LSASS
-
DLL Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.C.1
|
|
|
Telemetry showed powershell.exe injecting into lsass.exe.
[1]
|
|
A Technique alert detection for "Credential Dumping" was generated when PowerShell attempted injection into lsass.
[1]
|
|
A General alert detection for "Process Injection" was generated on "PowerShell injected into Microsoft signed process".
[1]
|
|
14.B.4
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "Credential Dumping" was generated when powershell.exe loaded cryptography DLLs and attempted to inject into lsass.exe, and again when powershell.exe successfully injected into lsass.exe. The detection was correlated to a parent alert for wmiprvse.exe executing powershell.exe.
[1]
|
|
An MSSP detection for "Credential Dumping" was received that included a PowerShell command executed by the adversary to download Mimikatz and execute it with a sequence of commands.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "Credential Dumping" was generated when m.exe read Lsass memory. The detection was correlated to a parent alert for wmiprvse.exe executing powershell.exe.
[1]
|
|
16.D.2
|
|
General
(Correlated, Alert)
|
A General detection was generated for a "Suspected Mimikatz credential theft activity". The event was correlated to a parent General detection on m.exe.
[1]
|
|
A Technique detection for "Credential Dumping" was generated when m.exe injected into lsass.exe.
[1]
[2]
|
|
An MSSP detection for "Credential Dumping" was received that included a PowerShell command executed by the adversary and explained that it was used to execute mimikatz to retrieve the krbtgt hash from host NewYork (10.0.0.4).
[1]
[2]
|
|
Telemetry showed m.exe injecting into lsass.exe
[1]
|
|
A Technique alert detection for "Credential Dumping" was generated when a suspicious process opened LSASS and wrote to a file.
[1]
|
|
A Technique alert detection for "Credential Dumping" was generated for a suspicious injection into LSASS.
[1]
|
|
A General alert detection for "Process Injection" was generated on "Untrusted process attempted to open a thread in a Microsoft process".
[1]
|
|
A Technique alert detection for "Credential Dumping" was generated when a suspicious process loaded a cryptographic DLL and accessed LSASS memory.
[1]
|
|
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]