Home >
Enterprise >
Participants >
Cybereason >
Exfiltration (TA0010)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.B.5
|
|
|||||||
13.B.5
|
|
|||||||
20.B.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
20.B.5
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.1
|
|
|||||
7.B.4
|
|
|||||
18.A.2
|
|
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
9.B.1.2
|
|
|||||
19.C.1
|
|
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Footnotes
- The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.