Home >
Enterprise >
Participants >
GoSecure >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
19.A.3
|
Technique Proxy (T1090) |
|
||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
Criteria
powershell.exe downloads uac-samcats.ps1 from 192.168.0.4
Data Sources
- Process Monitoring
- Network Monitoring
- File Monitoring
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||||||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
9.B.8
|
|
|||||||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||||||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.C.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
1.C.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: DNS (T1071.004) |
|
||||
1.C.1.3
|
|
|||||
6.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
6.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
6.B.1.3
|
Technique Multiband Communication (T1026) |
|
||||
7.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
11.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
11.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
11.B.1.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.1.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.1.4
|
Technique Commonly Used Port (T1043) |
|
||||
16.E.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
Procedure
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Footnotes
- The capability may have been modified after the start of the evaluation to create this alert, so the detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]

