Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.4
|
|
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick" was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious logon from remote device" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
A Technique detection named "Suspicious privileged user logon" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
A Technique detection named "Suspicious logon from remote device" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
7.A.4
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
7.B.2
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick from 10.0.0.4" was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
|
|
A Technique detection named "kmitnick connected to the device through a Remote Desktop session" was generated when user kmitnick logged on to cfo (10.0.0.5) using RDP.
[1]
|
|
16.A.4
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick" was generated when user kmitnick logged on to itadmin (10.0.1.6).
[1]
|
|
|
|
19.A.1
|
|
|
|
|
A Technique detection named "HOSPITALITY\kmitnick connected to the device through a Remote Desktop session from 10.0.1.6" was generated when user kmitnick logged on to accounting (10.0.1.7) via a Remote Desktop session.
[1]
|
|
A Technique detection named "A successful windows domain account logon" was generated when user kmitnick logged on to accounting (10.0.1.7).
[1]
|
|
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
[1]
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
[1]
User kmitnick logs on to cfo (10.0.0.5)
[1]
User kmitnick logs on to cfo (10.0.0.5)
[1]
User kmitnick logs on to cfo (10.0.0.5)
[1]
User kmitnick logs on to itadmin (10.0.1.6)
[1]
User kmitnick logs on to itadmin (10.0.1.6)
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
User kmitnick logs on to accounting (10.0.1.7)
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1
|
|
|
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam.
[1]
|
|
16.C.2
|
|
|
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott.
[1]
|
|
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.D.1.2
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed that the logon event for Kmitnick on Creeper was successful.
[1]
[2]
[3]
|
|
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
[1]
[2]
[3]