Home >
Enterprise >
Participants >
HanSight >
Defense Evasion (TA0005)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.2
|
|
|||||
3.A.2
|
|
|||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||
4.A.3
|
|
|||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||
8.B.2
|
|
|||||
8.C.1
|
|
|||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||
10.B.3
|
|
|||||
11.A.2
|
|
|||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||
11.A.10
|
|
|||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||
14.B.6
|
|
|||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
Criteria
powershell.exe executing Expand-Archive
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted rcs.3aka3.doc on disk using SDelete
Criteria
sdelete64.exe deleting the file rcs.3aka3.doc
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted Draft.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file draft.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file SysinternalsSuite.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria
Successful logon as user Pam on Scranton (10.0.1.4)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted rar.exe on disk using SDelete
Criteria
sdelete64.exe deleting the file rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Executed an alternate data stream (ADS) using PowerShell
Criteria
powershell.exe executing the schemas ADS via Get-Content and IEX
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Decoded an embedded DLL payload to disk using certutil.exe
Criteria
certutil.exe decoding kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.