APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) was generated due to sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc.
[1]
|
|
4.B.3
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) was generated due to sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc.
[1]
|
|
4.B.4
|
|
|
An MSSP detection for "File Deletion" was received that included a PowerShell script and explained that it was used to execute sdelete64.exe to delete SysInternalsSuite.zip.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow indicator) was generated due to sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc.
[1]
|
|
9.C.1
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe.
[1]
|
|
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration.
[1]
|
|
9.C.2
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe.
[1]
|
|
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration, including C:\Users\pam\Desktop\working.zip.
[1]
|
|
9.C.3
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe.
[1]
|
|
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration.
[1]
|
|
9.C.4
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
12.A.2
|
|
|
A Technique alert detection (purple icon) for "Timestomp" was generated when the kxwn.lock was created with falsified creation, last access, and last write times.
[1]
|
|
An MSSP detection for "Timestomp" occured that noted modified timestamp of kxwn.lock.
[1]
|
|