Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.3
|
|
|
A General detection named "SusSvcRemoteDroppedExe" (Low) was generated when a remotely registered service was used to drop a service executable.
[1]
|
|
A General detection named "'RemoteExec' malware detected" (Informational) was generated when the service executable in C:\Windows\ was identified as remote execution malware.
[1]
|
|
A Technique detection named "Suspicious remote activity" (Medium) was generated when a suspicious service was executed remotely.
[1]
|
|
A Technique detection named "Suspicious service launched" (Medium) was generated when a suspicious service was executed by services.exe.
[1]
|
|
|
|
16.A.6
|
|
|
A Technique detection named "Suspicious remote activity" (Medium) was generated when a Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executed hollow.exe.
[1]
|
|
A Technique detection named "Suspicious service launched" (Medium) was generated when a Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executed hollow.exe.
[1]
|
|
|
|
A Technique detection named "Suspicious service creation initiated remotely" (Medium) was generated when a Windows service was executed from a remote location.
[1]
|
|
cmd.exe spawns from a service executable in C:\Windows\
-
Process Monitoring
-
File Monitoring
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
Process Monitoring
-
File Monitoring
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
Process Monitoring
-
Network Monitoring
-
Windows Registry
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
Windows Registry
-
Process Monitoring
[1]
cmd.exe spawns from a service executable in C:\Windows\
-
Windows Registry
-
Process Monitoring
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
-
Process Monitoring
-
Network Monitoring
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
[1]
[2]
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
-
Network Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.3
|
|
|
Telemetry showed PSEXESVC.exe creating process python.exe.
[1]
|
|
10.A.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
[1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
-
This activity would have been blocked by Microsoft Defender.
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.L.1
|
|
|
A Specific Behavior alert was generated for a successful AdobeUpdater remote service execution attempt on Creeper.
[1]
[2]
[3]
[4]
|
|
Telemetry from CodeRed showed the sc.exe remote service start to execute the AdobeUpdater service on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper showed the execution sequence of Empire and command and control connections.
[1]
[2]
[3]
[4]
|
|