Home >
Enterprise >
Participants >
SentinelOne >
Exfiltration Over Alternative Protocol (T1048)
|
|
See technique results for:
Carbanak+FIN7 |
||
The technique was not in scope. |
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
7.B.4
|
|
Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- A UX Configuration Change was made to bring PowerShell script block logs into the user interface.


APT3 |
||||
Step | ATT&CK Pattern |
|
||
19.C.1
|
Tactic Exfiltration (TA0010) |
|