Home  >  Enterprise  >  Participants  >  Fidelis

Fidelis Overview
Vendor Configuration:  Carbanak+FIN7


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that Fidelis has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018) - - - -
APT29 (2020) - - - -
Carbanak+FIN7 (2021)
282   across  174 substeps
119  of  174 substeps
147  of  174 substeps
147  of  174 substeps
Wizard Spider and Sandworm (2022) - - - -
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
20.B.4
Criteria:

7za.exe creates C:\Users\Public\log.7z

Detections:
5.B.5
Tux
Criteria:

User kmitnick reads network-diagram-financial.xml via cat

Detections:
5.B.6
Tux
Criteria:

User kmitnick reads help-desk-ticket.txt via cat

Detections:
9.A.5
Criteria:

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
2.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
9.A.4
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
13.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
18.A.2
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
7.A.3
Criteria:

plink.exe transmits data to 192.168.0.4 over SSH protocol

Detections:
12.A.3
Criteria:

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Detections:
1.A.10
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.2
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.6
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.8
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.5
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.3
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.A.11
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.3
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.9
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.6
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.4
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
2.B.1
Criteria:

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Detections:
3.B.1
Criteria:

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Detections:
4.B.1
Criteria:

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Detections:
4.B.2
Criteria:

powershell.exe downloads smrs.exe from 192.168.0.4

Detections:
5.A.1
Criteria:

powershell.exe downloads pscp.exe from 192.168.0.4

Detections:
5.A.2
Criteria:

powershell.exe downloads psexec.py from 192.168.0.4

Detections:
5.A.3
Criteria:

powershell.exe downloads runtime from 192.168.0.4

Detections:
5.A.4
Criteria:

powershell.exe downloads plink.exe from 192.168.0.4

Detections:
5.A.5
Criteria:

powershell.exe downloads tiny.exe from 192.168.0.4

Detections:
7.A.1
Criteria:

tiny.exe downloads plink.exe from 192.168.0.4

Detections:
7.C.1
Criteria:

scp.exe downloads Java-Update.exe from 192.168.0.4

Detections:
7.C.3
Criteria:

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Detections:
9.A.1
Criteria:

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Detections:
9.B.1
Criteria:

explorer.exe downloads infosMin48.exe from 192.168.0.4

Detections:
10.A.1
Criteria:

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Detections:
10.A.2
Criteria:

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Detections:
12.B.1
Criteria:

Adb156.exe downloads stager.ps1 from 192.168.0.6

Detections:
13.B.1
Criteria:

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Detections:
15.A.2
Criteria:

powershell.exe downloads samcat.exe from 192.168.0.4

Detections:
15.A.3
Criteria:

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Detections:
16.A.1
Criteria:

powershell.exe downloads paexec.exe from 192.168.0.4

Detections:
16.A.2
Criteria:

powershell.exe downloads hollow.exe from 192.168.0.4

Detections:
17.A.1
Criteria:

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Detections:
19.B.3
Criteria:

powershell.exe downloads dll329.dll from 192.168.0.4

Detections:
19.B.4
Criteria:

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Detections:
20.B.1
Criteria:

rundll32.exe downloads debug.exe from 192.168.0.4

Detections:
20.B.3
Criteria:

rundll32.exe downloads 7za.exe from 192.168.0.4

Detections:
3.B.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over TCP

Detections:
19.A.3
Criteria:

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Detections:
10.B.1
Criteria:

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Detections:
4.A.3
Criteria:

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Detections:
9.B.2
Criteria:

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
4.B.7
Criteria:

smrs.exe opens and reads lsass.exe

Detections:
15.A.6
Criteria:

samcat.exe opens and reads the SAM via LSASS

Detections:
4.B.5
Criteria:

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
15.A.5
Criteria:

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
1.A.5
Criteria:

wscript.exe decodes content and creates starter.vbs

Detections:
1.A.6
Criteria:

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Detections:
3.B.5
Criteria:

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Detections:
5.C.6
Criteria:

tiny.exe loads shellcode from network connection into memory

Detections:
11.A.5
Criteria:

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Detections:
14.A.3
Criteria:

powershell.exe decodes an embedded DLL payload

Detections:
14.A.5
Criteria:

powershell.exe loads shellcode from network connection into memory

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
10.A.3
Criteria:

netsh adds Service Host rule for TCP port 5900

Detections:
9.B.3
Criteria:

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Detections:
17.A.2
Criteria:

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Detections:
11.A.6
Criteria:

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Detections:
3.A.2
Criteria:

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Detections:
4.B.4
Criteria:

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Detections:
10.A.5
Criteria:

Addition of subkeys in HKLM\Software\TightVNC\Server

Detections:
10.A.6
Criteria:

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
1.A.4
Criteria:

unprotected.vbe is an encoded file

Detections:
3.A.3
Criteria:

Value added to Registry is base64 encoded

Detections:
11.A.2
Criteria:

2-list.rtf contains an embedded lnk payload that is dropped to disk

Detections:
19.B.2
Criteria:

powershell.exe executes base64 encoded commands

Detections:
9.A.3
Criteria:

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.1
Criteria:

svchost.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.3
Criteria:

explorer.exe injects into mstsc.exe with CreateRemoteThread

Detections:
20.A.2
Criteria:

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Detections:
16.A.7
Criteria:

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Detections:
11.A.3
Criteria:

winword.exe spawns mshta.exe

Detections:
5.C.1
Criteria:

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
13.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_BIOS

Detections:
6.A.3
Criteria:

PowerShell executes Get-NetUser

Detections:
4.A.1
Criteria:

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Detections:
5.B.4
Tux
Criteria:

User kmitnick executes ls -lsahR /var/

Detections:
7.C.2
Criteria:

dir lists the contents of C:\Users\Public

Detections:
13.A.3
Criteria:

cmd.exe executes net view

Detections:
2.A.4
Criteria:

wscript.exe makes a WMI query for Win32_Process

Detections:
5.B.3
Tux
Criteria:

User kmitnick executes ps ax

Detections:
13.A.1
Criteria:

Adb156.exe makes a WMI query for Win32_Process

Detections:
15.A.1
Criteria:

powershell.exe calls the CreateToolhelp32Snapshot() API

Detections:
20.B.2
Criteria:

debug.exe calls the CreateToolhelp32Snapshot API

Detections:
3.B.4
Criteria:

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Detections:
4.A.2
Criteria:

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Detections:
5.B.7
Tux
Criteria:

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Detections:
6.A.2
Criteria:

PowerShell executes Get-ADComputer

Detections:
15.A.8
Criteria:

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Detections:
2.A.2
Criteria:

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Detections:
12.A.5