Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.B.4
|
|
|
|
|
A Technique detection named "Compression of sensitive data" (Low) was generated when rundll32.exe invoked an archive utility (7za.exe).
[1]
[2]
|
|
A Technique detection named "7za.exe modified a compressed file log.7z" was generated when 7za.exe modified a compressed file (log.7z).
[1]
|
|
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
[2]
7za.exe creates C:\Users\Public\log.7z
-
Process Monitoring
-
File Monitoring
[1]
[2]
7za.exe creates C:\Users\Public\log.7z
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
|
An MSSP detection for Discovery occurred containing evidence that PowerShell ran commands to query files with certain extensions and compress the found files into a zip file.
[1]
|
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
[2]
|
|
2.A.5
|
|
|
Telemetry showed the creation of Draft.Zip.
[1]
|
|
An MSSP detection for Discovery occurred containing evidence that PowerShell ran commands to query files with certain extensions and compress the found files into a zip file.
[1]
|
|
7.B.2
|
|
|
Telemetry showed the file create event for OfficeSupplies.7z.
[1]
|
|
7.B.3
|
|
|
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption.
[1]
[2]
|
|
9.B.6
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
[1]
|
|
An MSSP detection for suspicious activity was generated containing evidence a PowerShell command executed rar.exe to encrypt with password hpfGzq5yKw.
[1]
[2]
|
|
9.B.7
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
[1]
|
|
An MSSP detection for suspicious activity was generated containing evidence rar.exe compressed files into working.zip
[1]
[2]
|
|
17.C.1
|
|
|
Telemetry showed PowerShell compressing collection via ZipFile.CreateFromDirectory .NET method.
[1]
[2]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
[2]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
[1]
[2]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
[2]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
[2]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.B.1.1
|
|
|
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
|
|
19.B.1.2
|
|
|
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
|
|
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file