Home >
Enterprise >
Participants >
CrowdStrike >
Exfiltration (TA0010)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.5
|
|
|||||
13.B.5
|
|
|||||
20.B.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
20.B.5
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.1
|
|
|||||
7.B.4
|
|
|||||
18.A.2
|
|
Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- All activity associated with an alert is grouped and correlated via the relevant detection tree.


[2]


Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Footnotes
- All activity associated with an alert is grouped and correlated via the relevant detection tree.


APT3 |
||||||||
Step | ATT&CK Pattern |
|
||||||
9.B.1.2
|
|
|||||||
19.C.1
|
|
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Footnotes
- OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Footnotes
- OverWatch is the managed threat hunting service.
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Footnotes
- For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.