Home >
Enterprise >
Participants >
Secureworks >
Defense Evasion (TA0005)
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.2
|
|
|||||||
3.A.2
|
|
|||||||
3.C.1
|
Technique Modify Registry (T1112) |
|
||||||
4.A.3
|
|
|||||||
4.B.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
4.B.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
6.A.3
|
Technique Masquerading (T1036) Subtechnique Masquerading: Match Legitimate Name or Location (T1036.005) |
|
||||||
8.B.2
|
|
|||||||
8.C.1
|
|
|||||||
9.C.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.3
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
9.C.4
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||||||
10.B.3
|
|
|||||||
11.A.2
|
|
|||||||
11.A.3
|
Technique Virtualization/Sandbox Evasion (T1497) Subtechnique Virtualization/Sandbox Evasion: System Checks (T1497.001) |
|
||||||
11.A.10
|
|
|||||||
12.A.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: Timestomp (T1070.006) |
|
||||||
14.A.3
|
Technique Modify Registry (T1112) |
|
||||||
14.B.5
|
Technique Obfuscated Files or Information (T1027) |
|
||||||
14.B.6
|
|
|||||||
17.C.2
|
Technique Obfuscated Files or Information (T1027) |
|
Procedure
Deleted rcs.3aka3.doc on disk using SDelete
Criteria
sdelete64.exe deleting the file rcs.3aka3.doc
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted Draft.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file draft.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file SysinternalsSuite.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe