Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.C.4
|
|
|
A Technique detection named "New entry added to startup related Registry keys by signed process" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
|
|
A Technique detection named "Autostart Registry key created by a commonly-abused process" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
|
|
A Technique detection named "Script file added to startup-related Registry keys" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
|
|
|
|
10.A.4
|
|
|
A Technique detection named "New entry added to startup related Registry keys by signed process" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
[2]
|
|
|
|
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Windows Registry
-
Process Monitoring
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
[2]
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
[2]
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
-
Process Monitoring
-
Windows Registry
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.B.1
|
|
|
An MSSP detection occurred for the creation of the hostui.lnk file in the Startup folder.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "registry run key or file in start up folder created - T1060" was generated due to powershell.exe creating the hostui.lnk file. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
Telemetry showed a file create event for hostui.lnk in the Startup folder. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
10.B.1
|
|
|
An MSSP detection occurred for hostui.lnk executing from Startup Folder.
[1]
|
|
11.A.11
|
|
|
Telemetry showed powershell.exe adding Run key persistence into the Registry.
|
|
An MSSP detection contained evidence of the Webcache subkey added to the Registry to establish persistence.
[1]
|
|
A Technique alert detection (red indicator) called "commonly abused process creates a new autostart Registry key" was generated for powershell.exe adding Run key persistence into the Registry.
[1]
[2]
|
|
A Technique alert detection (red indicator) called "New entry added to startup related Registry keys by signed binary" was generated for powershell.exe adding Run key persistence into the Registry.
[1]
[2]
|
|
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
[2]
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
[1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[1]
[2]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.B.1
|
|
Enrichment
(Tainted, Configuration Change)
|
The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
|
|
Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
[1]
[2]
|
|
10.A.1
|
|
|
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
[1]
|
|
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
-
The logic to produce the enrichment was configured after the start of the evaluation so it is identified as a config change.
[1]
[2]
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
[1]
[2]
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
[1]