Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.A.4
|
|
|
|
|
A Technique detection named "Domain Account Loggon Activity (T1078.002)" was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
A Technique detection named "SSH LOGIN ATTEMPT USING LOCAL KEY FILE" was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
7.A.4
|
|
|
A Technique detection named "Domain Account Logon Activity (T1078.002)" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
7.B.2
|
|
|
A Technique detection named "Domain Account Loggon Activity (T1078.002)" was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
|
|
16.A.4
|
|
|
A Technique detection named "Domain Account Logon Activity" was generated when User kmitnick logged on to itadmin (10.0.1.6).
[1]
|
|
|
|
19.A.1
|
|
|
A Technique detection named "Local Account Logon Activity (T1078.003)" was generated when user kmitnick logged on to accounting (10.0.1.7).
[1]
|
|
|
|
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
-
Network Monitoring
-
Windows Event Logs
[1]
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
-
Process Monitoring
-
Network Monitoring
[1]
[2]
User kmitnick logs on to bankfileserver (10.0.0.7)
-
Process Monitoring
-
Authentication Logs
[1]
User kmitnick logs on to bankfileserver (10.0.0.7)
[1]
User kmitnick logs on to bankdc (10.0.0.4)
-
Authentication Logs
-
Windows Event Logs
[1]
User kmitnick logs on to bankdc (10.0.0.4)
-
Windows Event Logs
-
Authentication Logs
[1]
User kmitnick logs on to cfo (10.0.0.5)
-
Windows Event Logs
-
Authentication Logs
[1]
User kmitnick logs on to cfo (10.0.0.5)
-
Windows Event Logs
-
Authentication Logs
[1]
User kmitnick logs on to itadmin (10.0.1.6)
-
Windows Event Logs
-
Authentication Logs
[1]
User kmitnick logs on to itadmin (10.0.1.6)
-
Process Monitoring
-
Authentication Logs
-
Windows Event Logs
[1]
User kmitnick logs on to accounting (10.0.1.7)
-
Authentication Logs
-
Windows Event Logs
[1]
User kmitnick logs on to accounting (10.0.1.7)
-
Windows Event Logs
-
Authentication Logs
[1]
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
8.C.1
|
|
|
Telemetry showed an account logged on to Scranton (10.0.1.4) as user Pam.
[1]
|
|
An MSSP detection occurred containing evidence of the successful logon of Pam on Scranton (10.0.1.4).
[1]
[2]
|
|
16.C.2
|
|
|
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott.
[1]
|
|
An MSSP detection contained evidence of the successful logon of MScott on NewYork (10.0.0.4).
[1]
|
|
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
[1]
[2]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Successful logon as user MScott on NewYork (10.0.0.4)
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
16.D.1.2
|
|
Specific Behavior
(Delayed)
|
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account.
[1]
[2]
|
|
The capability enriched a logon attempt via net1.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for the user Kmitnick was redacted by the capability.
[1]
[2]
|
|
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
-
Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
[1]
[2]
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
-
The vendor indicated the un-redacted passwords could be observed in triage/acquistion data.
[1]
[2]