Please see the formal Carbanak Intelligence Summary which includes a break-down of the cited intelligence used for each step of this emulation.
Based on Carbanak Malware, Ggldr, and Mimikatz
This scenario begins with a legitimate user executing a malicious payload delivered via spearphishing attacks targeting financial institutions. Following initial compromise, Carbanak expands access to other hosts through privilege escalation, credential accesss, and lateral movement with the goal of compromising money processing services, automated teller machines, and financial accounts. As Carbanak compromises potentially valuable targets, they establish persistence so that they can learn the financial organization's internal procedures and technology. Using this information, Carbanak transfers funds to bank accounts under their control, completing their mission.
This emulation plan is intended to be executed with protections-based capabilities disabled in order to accurately measure a security control's ability to detect specific adversary behavior.
This scenario emulates the same Carbanak TTP's as scenario 1; however, changes were made to support environments with protective security controls enabled. This scenario is designed so that specific TTP's are decoupled from dependencies to enable all steps to be executed, even if previous steps are blocked.