Home >
Enterprise >
Participants >
Symantec >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
1.A.5
|
|
|||||||
1.A.6
|
|
|||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
3.B.5
|
|
|||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||
5.C.6
|
|
|||||||
7.A.4
|
|
|||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
11.A.5
|
|
|||||||
11.A.6
|
|
|||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
14.A.3
|
|
|||||||
14.A.5
|
|
|||||||
16.A.7
|
|
|||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
20.A.2
|
Technique Process Injection (T1055) |
|
Criteria
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Data Sources
- Process Monitoring
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria
powershell.exe executing Get-WmiInstance