Carbanak+FIN7
|
The subtechnique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.B.4
|
|
|
Telemetry showed PowerShell creating OfficeSupplies.7z on a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of OfficeSupplies.7z being copied over the network via WebDav to 192.168.0.4.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) called "File being written to remote path" was generated for the file OfficeSupplies.7z being written a WebDav share at 192.168.0.4. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
APT3
|
The subtechnique was not in scope.
|