Home >
Enterprise >
Participants >
Palo Alto Networks >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
1.A.5
|
|
|||||||
1.A.6
|
|
|||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
3.B.5
|
|
|||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||
5.C.6
|
|
|||||||
7.A.4
|
|
|||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
11.A.5
|
|
|||||||
11.A.6
|
|
|||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
14.A.3
|
|
|||||||
14.A.5
|
|
|||||||
16.A.7
|
|
|||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria
Successful logon as user Pam on Scranton (10.0.1.4)
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
3.A.1.2
|
|
|||||||
5.B.1
|
|
|||||||
16.C.1
|
|
|||||||
16.I.1.2
|
|
|||||||
17.B.1
|
|
|||||||
17.B.2
|
|
|||||||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||||||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||||||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|