Carbanak+FIN7
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
1.A.9
|
|
|
|
|
A General detection named "WscriptSuspiciousExecution" was generated when wscript.exe executed TransBaseOdbcDriver.js.
[1]
|
|
A Technique detection named "SuspiciousProcessChain - T1059 Command and Scripting Interpreter" (High) was generated when wscript.exe executed TransBaseOdbcDriver.js.
[1]
|
|
A Technique detection named "T1059.007 JavaScript/JScript" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
12.A.2
|
|
|
A General detection named "ProcessCreate" (1) was generated when adb156.exe executed sql-rat.js using Jscript.
[1]
|
|
A Technique detection named "WscriptProcessExecuted - T1059 Command and Scripting Interpreter" (1) was generated when adb156.exe executed sql-rat.js using Jscript.
[1]
|
|
|
|
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
[2]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
-
Process Monitoring
-
Script Logs
[1]
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
[1]
APT29
|
The subtechnique was not in scope.
|