APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting Draft.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
[2]
|
|
An MSSP detection was generated for the of SysinternalsSuite.zip.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious.
[1]
|
|
9.C.1
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
|
9.C.3
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
|
9.C.4
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe and filemod(delete) event. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution.
[1]
[2]
|
|