APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting Draft.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
|
An MSSP detection was generated for the of SysinternalsSuite.zip.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
9.C.1
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
|
9.C.3
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
|
9.C.4
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe and filemod(delete) event. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
|
12.A.2
|
|
|
Telemetry showed script block with commands to timestomp kxwn.lock as well as the execution of the timestomp function against the kxwn.lock file. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of PowerShell modifying filesystem access and write times of the kxwn.lock file.
[1]
|
|