Home >
Enterprise >
Participants >
Microsoft >
Collection (TA0009)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.B.4
|
Technique Screen Capture (T1113) |
|
||||||
5.B.5
![]() |
Technique Data from Local System (T1005) |
|
||||||
5.B.6
![]() |
Technique Data from Local System (T1005) |
|
||||||
9.A.4
|
Technique Screen Capture (T1113) |
|
||||||
9.A.5
|
Technique Data from Local System (T1005) |
|
||||||
13.B.4
|
Technique Screen Capture (T1113) |
|
||||||
18.A.2
|
Technique Screen Capture (T1113) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique Automated Collection (T1119) |
|
||||
2.A.3
|
Technique Data from Local System (T1005) |
|
||||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.A.1
|
Technique Screen Capture (T1113) |
|
||||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||||
7.A.3
|
|
|||||
7.B.1
|
Technique Data from Local System (T1005) |
|
||||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.3
|
Technique Automated Collection (T1119) |
|
||||
9.B.4
|
Technique Data from Local System (T1005) |
|
||||
9.B.5
|
|
|||||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||||
17.B.1
|
Technique Data from Local System (T1005) |
|
||||
17.B.2
|
|
|||||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Captured user keystrokes using the GetAsyncKeyState API
Criteria
powershell.exe executing the GetAsyncKeyState API
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
8.C.1.1
|
|
|||||
9.B.1.1
|
Technique Data from Network Shared Drive (T1039) |
|
||||
12.E.1.5
|
Technique Clipboard Data (T1115) |
|
||||
15.A.1.1
|
|
|||||
18.B.1.1
|
|
|||||
18.B.1.2
|
Technique Data from Network Shared Drive (T1039) |
|
||||
19.B.1.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
19.B.1.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Footnotes
- The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events.
- Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection.


[2]


[3]


Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP.
Procedure
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Footnotes
- Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events.


[2]


[3]


[4]


Procedure
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Footnotes
- Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test.


Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file