Home >
Enterprise >
Participants >
Bitdefender >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
1.A.5
|
|
|||||||||
1.A.6
|
|
|||||||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
3.B.5
|
|
|||||||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||||||
5.C.6
|
|
|||||||||
7.A.4
|
|
|||||||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
11.A.5
|
|
|||||||||
11.A.6
|
|
|||||||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||||
14.A.3
|
|
|||||||||
14.A.5
|
|
|||||||||
16.A.7
|
|
|||||||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria
Successful logon as user Pam on Scranton (10.0.1.4)
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance