Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.3
|
|
|
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
-
Process Monitoring
-
Network Monitoring
-
Script Logs
[1]
[2]
APT29
|
The subtechnique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.1
|
|
|
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
|
|
16.B.1.3
|
|
|
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
[1]
[2]
|
|
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
[1]
[2]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
[1]
[2]