MITRE ATTACK Evaluations Round 3 - Carbanak and FIN7 Adversary Emulation

181214

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This package was used during MITRE ATT&CK Carbanak+FIN7 emulation enterprise evaluation in October 2020.
482 downloads
DOWNLOADS
See previous releases
Share
 

Description

ArcSight participated in MITRE ATT&CK Carbanak+FIN7 emulation enterprise evaluation in October 2020. More details about the evaluation can be found on https://attackevals.mitre-engenuity.org/carbanak-fin7/.

The ATTACK_EvalsR3_Carbanak_and_FIN7.zip file contains two packages that were used during the evaluation:

Package One – ATTACK_EvalsR3_Carbanak_and_FIN7_v1_no-optimization.arb used during the first and second day.

Package Two – ATTACK_EvalsR3_Carbanak_and_FIN7_v2_optimized_and_recommended.arb used during the third day with minor config modifications to capture a lot more use cases that were originally missed in the package One. Caution, this package also generates more False Positives.

Data Sources and Configuration

ESM: Suppression List set to 1 minute during evaluation (by default 24 hours)

Connectors:

1. Windows logs: Enable command line process creation auditing

  • Microsoft-Windows-Security-Auditing:4688, 5145, 4624, 4683, 4728, 4732, 4756, 4740, 6416, 4729, 4733, 4757, 4656, 5156, 4799, 4798, 5140, 5158, 4689, 4697, 4625, 4950

2. PowerShell logs: Turn on PowerShell Script Block Logging - 8003. Sysmon: Enable following event ids:

  • 1: Process creation
  • 3: Network connection
  • 7: Image loaded
  • 8: CreateRemoteThread
  • 10: ProcessAccess
  • 11: FileCreate
  • 12: RegistryEvent (Object create and delete)
  • 13: RegistryEvent (Value Set)
  • 15: FileCreateStreamHash
  • 17: PipeEvent (Pipe Created)
  • 18: PipeEvent (Pipe Connected)
  • 22: DNSEvent (DNS query)

4. Firewall logs

5. Proxy logs

6. IDS/IPS logs

7. Anti-virus logs

8. Linux auditd logs: Modify /usr/lib/systemd/system/auditd.service to get these logs

9. Snoopy logs

10. Flex connector for Hollows Hunter

To install this package:

The zip file contains three files: package arb file, signature of arb file, and Readme.Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:

https:/entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do

It is required to log in using a Microfocus/Software passport (It gives the option to create an account)

Perform the following steps in the ArcSight Console.

1. Go to the ArcSight Console.

2. Click on Packages

3. Click Import

4. Select arb file from the zip file

5. Follow prompt to import and install this package

Minimum Requirements

ESM 6.11 and above.

Releases

Release
Size
Date
Replay Events During Evaluations 1.0.0.0
42.3 MB
  |  
Apr 20, 2021
More info Less info
ATTACK EvalsR3 Carbanak and FIN7 1.0.0.0
1.6 MB
  |  
Apr 20, 2021
More info Less info

Reviews

Write a review


MITRE ATTACK Evaluations Round 3 - Carbanak and FIN7 Adversary Emulation

OpenText | OpenText Community




Optional


Optional - 120 characters remaining


Cancel

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...
Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2025-6-1-6393 | Mon Jun 2 22:00:19 PDT 2025