Home >
Enterprise >
Participants >
Secureworks >
Collection (TA0009)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique Automated Collection (T1119) |
|
||||
2.A.3
|
Technique Data from Local System (T1005) |
|
||||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.A.1
|
Technique Screen Capture (T1113) |
|
||||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||||
7.A.3
|
|
|||||
7.B.1
|
Technique Data from Local System (T1005) |
|
||||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.3
|
Technique Automated Collection (T1119) |
|
||||
9.B.4
|
Technique Data from Local System (T1005) |
|
||||
9.B.5
|
|
|||||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||||
17.B.1
|
Technique Data from Local System (T1005) |
|
||||
17.B.2
|
|
|||||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe creating the file draft.zip
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria
powershell.exe creating the file working.zip
Procedure
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Staged collected file into directory using PowerShell
Criteria
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML