Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.B.1
|
|
|
A General detection named "Clam.Win.Malware.ScreenCapture.UNOFFICIAL" (Medium ) was generated when detected screenshot_.ps1 as Clam.Win.Malware.ScreenCapture.
[1]
[2]
[3]
|
|
|
|
3.B.1
|
|
|
A General detection named "Generic.Sharpshooter" (Medium) was generated when LanCradDriver.ps1 was detected as Generic.Sharpshooter.
[1]
[2]
|
|
|
|
4.B.1
|
|
|
4.B.2
|
|
|
A General detection named "W32.33A15DA56C.in12.Talos" was generated when smrs.exe was detected as W32.33A15DA56C.in12.Talos.
[1]
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
5.A.1
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded pscp.exe.
[1]
[2]
|
|
5.A.2
|
|
|
5.A.3
|
|
|
5.A.4
|
|
|
|
|
A General detection named "Cloud IOC: W32.SuspiciousOperations.ioc" (Medium) was generated when plink.exe was identified.
[1]
[2]
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded plink.exe.
[1]
[2]
|
|
5.A.5
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe created tiny.exe.
[1]
[2]
|
|
7.A.1
|
|
|
|
|
A General detection named "Cloud IOC: W32.SuspiciousOperations.ioc" (Medium) was generated when plink.exe was seen and identified as a possible attempt to tunnel.
[1]
[2]
|
|
7.C.1
|
|
|
|
|
A General detection named "DeepScan: Generic.Exploit.Shellcode" (Medium ) was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
[2]
|
|
7.C.3
|
|
|
9.A.1
|
|
|
9.B.1
|
|
|
10.A.1
|
|
|
10.A.2
|
|
|
12.B.1
|
|
|
13.B.1
|
|
|
A General detection named "Clam.Win.Malware.ScreenCapture.UNOFFICIAL" (Medium) was generated when adb156.exe created takeScreenshot.ps1.
[1]
[2]
|
|
|
|
15.A.2
|
|
|
|
|
A General detection named "Gen:Heur.Mimikatz.1" (Medium) was generated when samcat.exe was detected as Gen:Heur.Mimikatz.1.
[1]
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded samcat.exe from 192.168.0.4.
[1]
[2]
|
|
15.A.3
|
|
|
16.A.1
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded paexec.exe.
[1]
[2]
|
|
16.A.2
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded hollow.exe.
[1]
[2]
|
|
17.A.1
|
|
|
A General detection named "Gen:Variant.Johnnie" (Medium ) was generated when strrstr.dll detected as Gen:Variant.Johnnie.
[1]
[2]
|
|
|
|
19.B.3
|
|
|
19.B.4
|
|
|
20.B.1
|
|
|
20.B.3
|
|
|