Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
11.A.3
|
|
|
A General detection named "Exploit Attempt Detected in Winword.exe" was generated when winword.exe spawned mshta.exe.
[1]
|
|
A Technique detection named "LOLbin Execution" was generated when winword.exe spawned mshta.exe.
[1]
|
|
|
|
winword.exe spawns mshta.exe
-
File Monitoring
-
Process Monitoring
[1]
winword.exe spawns mshta.exe
[1]
winword.exe spawns mshta.exe
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
20.A.1
|
|
|
A Technique alert detection called "Rundll32 Execution" was generated due to the execution of rundll32.exe on kxwn.lock.
[1]
[2]
|
|
A Technique alert detection called "Rundll32 Not Running DLL" was generated due to rundll32.exe executing kxwn.lock, which did not have a .dll extension.
[1]
[2]
|
|
An MSSP detection occurred for rundll32.exe executing kxwn.lock.
[1]
|
|
Telemetry showed rundll32.exe executing kxwn.lock.
|
|
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
[1]
[2]
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
[1]
[2]
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
[1]
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.1.2
|
|
Specific Behavior
(Delayed)
|
The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments.
[1]
[2]
|
|
The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution).
[1]
[2]
|
|
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
-
Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
[1]
[2]
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
[1]
[2]