Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.7
|
|
|
|
|
A Technique detection named "SensitiveMemoryAccess" was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
15.A.6
|
|
|
A Technique detection named "AccessSyskey" was generated when samcat.exe opened and read the SAM.
[1]
|
|
smrs.exe opens and reads lsass.exe
[1]
smrs.exe opens and reads lsass.exe
[1]
samcat.exe opens and reads the SAM via LSASS
-
File Monitoring
-
Process Monitoring
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
14.B.4
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "SensitiveMemoryAccess" under "Credential Access {T1003}" was generated when m.exe read sensitive memory from lsass.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1003" occurred containing evidence of Mimikatz sekurlsa::logonpasswords usage via m.exe.
[1]
|
|
Telemetry shows a remote process injection into lsass.exe by Mimikatz. The detection was correlated to a parent grouping of malicious activity.
|
|
16.D.2
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "SensitiveMemoryAccess" under "Credential Access {T1003}" was generated when m.exe read sensitive memory from lsass.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "SensitiveMemoryAccess" occurred containing evidence of mimikatz lsadump::lsa /inject /name:krbtgt via m.exe.
[1]
[2]
|
|
Telemetry shows a remote process injection into lsass.exe by Mimikatz. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped plaintext credentials using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
-
Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
[2]
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
m.exe injecting into lsass.exe to dump credentials
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
5.A.1.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed
-
Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.