/
Carbanak_G0008.json
1 lines (1 loc) · 1.89 KB
/
Carbanak_G0008.json
1
{"description": "Enterprise techniques used by Carbanak, ATT&CK group G0008 v1.0", "name": "Carbanak (G0008)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1219", "techniqueName": "Remote Access Tools", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) used legitimate programs such as AmmyAdmin and Team Viewer for remote interactive C2 to target systems."}, {"score": 1, "techniqueID": "T1036", "techniqueName": "Masquerading", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) malware names itself \"svchost.exe,\" which is the name of the Windows shared service host program."}, {"score": 1, "techniqueID": "T1050", "techniqueName": "New Service", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) malware installs itself as a service to provide persistence and SYSTEM privileges."}, {"score": 1, "techniqueID": "T1102", "techniqueName": "Web Service", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2."}, {"score": 1, "techniqueID": "T1085", "techniqueName": "Rundll32", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) installs VNC server software that executes through rundll32."}, {"score": 1, "techniqueID": "T1089", "techniqueName": "Disabling Security Tools", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) may use [netsh](https://attack.mitre.org/software/S0108) to add local firewall rule exceptions."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[Carbanak](https://attack.mitre.org/groups/G0008) actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Carbanak", "color": "#ff6666"}]}