Home >
Enterprise >
Participants >
ReaQta >
Defense Evasion (TA0005)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.4
|
Technique Obfuscated Files or Information (T1027) |
|
||||
1.A.5
|
|
|||||
1.A.6
|
|
|||||
3.A.2
|
Technique Modify Registry (T1112) |
|
||||
3.A.3
|
Technique Obfuscated Files or Information (T1027) |
|
||||
3.B.5
|
|
|||||
4.B.4
|
Technique Modify Registry (T1112) |
|
||||
5.C.6
|
|
|||||
7.A.4
|
|
|||||
9.A.3
|
Technique Process Injection (T1055) |
|
||||
9.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.A.3
|
Technique Impair Defenses (T1562) Subtechnique Impair Defenses: Disable or Modify System Firewall (T1562.004) |
|
||||
10.A.5
|
Technique Modify Registry (T1112) |
|
||||
10.A.6
|
Technique Modify Registry (T1112) |
|
||||
11.A.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
11.A.5
|
|
|||||
11.A.6
|
|
|||||
13.A.4
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
14.A.3
|
|
|||||
14.A.5
|
|
|||||
16.A.7
|
|
|||||
17.A.2
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
18.A.1
|
Technique Process Injection (T1055) |
|
||||
18.A.3
|
Technique Process Injection (T1055) |
|
||||
19.B.2
|
Technique Obfuscated Files or Information (T1027) |
|
||||
20.A.2
|
Technique Process Injection (T1055) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.2
|
|
|||||
3.A.2
|
|
|||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||
4.A.3
|
|
|||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
8.B.2
|
|
|||||
8.C.1
|
|
|||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.B.3
|
|
|||||
11.A.2
|
|
|||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
11.A.10
|
|
|||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||
14.B.6
|
|
|||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Procedure
Deleted rcs.3aka3.doc on disk using SDelete
Criteria
sdelete64.exe deleting the file rcs.3aka3.doc
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted Draft.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file draft.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file SysinternalsSuite.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Deleted rar.exe on disk using SDelete
Criteria
sdelete64.exe deleting the file rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Executed an alternate data stream (ADS) using PowerShell
Criteria
powershell.exe executing the schemas ADS via Get-Content and IEX
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Decoded an embedded DLL payload to disk using certutil.exe
Criteria
certutil.exe decoding kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance