APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
9.C.1
|
|
|
Telemetry showed a file deletion event for secure file delete deleting rar.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to Desktop\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
9.C.3
|
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
9.C.4
|
|
|
Telemetry showed a file deletion event on "Windows Command Processor" deleting sdelete64.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "executing a deletion" occurred containing evidence of cmd.exe being run to delete sdelete64.exe.
[1]
|
|
12.A.2
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "FileTimeCopied" was generated due to GetCreationTime API call targeting kxwn.lock. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1099" occurred containing evidence of timestamp modifications of kxwn.lock.
[1]
[2]
|
|