Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.C.2
|
|
|
|
|
A Technique detection named "llrules" was generated when SMB traffic matched a non-standard SMB client associated with red-teaming tools.
[1]
[2]
|
|
16.A.5
|
|
|
A Tactic detection named "Potential Metasploit Payload Transfer" (Medium) was generated when network signatures between 10.0.1.5 and 10.0.1.6 matched a threat hacking tool.
[1]
|
|
|
|
A Tactic detection named "Windows X64 VNCInject Reverse TCP" (Medium) was generated when network signatures between 10.0.1.5 and 10.0.1.6 matched a threat hacking tool.
[1]
|
|
psexec.py connects to SMB shares on 10.0.0.4
-
File Monitoring
-
Process Monitoring
-
Network Monitoring
[1]
[2]
[3]
psexec.py connects to SMB shares on 10.0.0.4
[1]
[2]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
-
Process Monitoring
-
File Monitoring
-
Network Monitoring
[1]
[2]
[3]
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.2
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.A.1.2
|
|
|
Specific Behavior alerts titled \"Windows Admin Shares - Lateral Movement\" were generated for credential accesses specifically targeting admin shares.
[1]
[2]
|
|
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$.
[1]
[2]
|
|
16.B.1.2
|
|
|
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
|
|
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon.
[1]
[2]
|
|
16.D.1.1
|
|
|
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
[1]
[2]
|
|
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments targeting C$ using valid account credentials.
[1]
[2]
|
|
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
[1]
[2]