The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Malwarebytes  > Carbanak+FIN7 Configuration


Malwarebytes Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

  • engine_version: 1.2.0.834
  • service_version: 1.2.0.487
  • tray_version: 1.2.0.390
  • EDR plugin version: 1.2.0.298

Product Description

For the MITRE ATT&CK Evaluation, Malwarebytes provided our Endpoint Protection & Response (EPR) product, which is designed to provide customers with a simple, yet powerful Endpoint Protection (EP) and Detection & Response (EDR) solution. It supports features such as exploit mitigation, malware detection via anomaly detection, granular endpoint isolation, cloud sandbox detonation, rollback of ransomware damages, application behavior monitoring, complete artifact remediation and a visual representation of suspicious activity. Malwarebytes EDR delivers an easy-to-use interface, with excellent detection capabilities.

With granular isolation, users can isolate any endpoint with a combination of three modes: network isolation (prevents inbound/outbound communication), process isolation (prevents any new processes from being spawned), and desktop isolation (prevents all user interaction). This level of granularity allows users to customize the isolation process while still maintaining control during an incident investigation.

Malwarebytes EDR uploads undetected suspicious executable files to the Malwarebytes cloud sandbox environment, where they are detonated for further analysis. By applying additional behavioral detection rules to the uploaded files, Malwarebytes provides an additional layer of protection against these suspicious files.

By backing up critical user files and registry settings, Malwarebytes can quickly recover (on the first sign of a possible ransomware attack) and revert affected files to their original uncompromised state. Ransomware rollback removes the need for organizations to recover using traditional, costly, and time-consuming re-imaging while maintaining file integrity.

Malwarebytes EDR provides robust detections through the use of behavioral rules which trigger suspicious activity on a series of connected windows events. These rules are optimized to effectively cover the MITRE ATT&CK tactics and techniques.

Additionally, there is a detailed graphical representation which shows the connections, spawned processes, and/or downloaded files that are part of the potential attack. Malwarebytes provides easy to use information about detected suspicious activity, such as all processes, files, and registry changes associated with it. Every suspicious activity is assigned a severity, which allows admins to filter out the “noise” and focus on items that need immediate attention.”

Finally, Malwarebytes EDR quickly detects any suspicious activity in customer’s environments, classifies it, and provides detailed information to let admins make informed decisions on how to mitigate the threat, saving both time and money while providing world class protection.

Product Configuration

Policy Configuration for MITRE ATT&CK 2020 Detection Test

Policies -> Windows -> Settings

  1. Disable Real-Time Protection modules
  2. Enable “Capture experimental events”
  3. Enable EDR monitoring options
  4. Enable Ransomware Rollback and Endpoint Isolation

Policy Configuration for MITRE ATT&CK 2020 Protection Test

Policies -> Windows -> Settings

  1. Enable “Block penetration testing attacks”
  2. Enable RET ROP Gadget detection for both 32bit and 64bit applications