Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.1.1
|
|
|
Telemetry showed remote file access behavior for the .vsdx file from the network shared drive.
[1]
|
|
18.B.1.2
|
|
|
Telemetry showed the .vsdx file copied from a network shared drive on Conficker. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
[1]
|
|
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
[1]
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
[1]