APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
2.A.4
|
|
Technique
(Configuration Change (Detections), Alert)
|
A Technique alert detection (green indicator; low severity) called Data Compressed was generated due to the creation of Draft.Zip by powershell.exe.
[1]
|
|
An MSSP detection contained evidence of draft.zip being created and compressed by PowerShell.
[1]
|
|
2.A.5
|
|
|
Telemetry showed the creation of Draft.Zip. The event was correlated to a parent Technique detection for a suspicious PowerShell process.
[1]
|
|
An MSSP detection contained evidence of the creation of Draft.Zip by powershell.exe.
[1]
|
|
7.B.2
|
|
|
Telemetry showed the file write event for OfficeSupplies.7z. The detection was correlated to a parent alert for suspicious PowerShell.
[1]
|
|
An MSSP detection occurred containing evidence of the file create of OfficeSupplies.7z.
[1]
|
|
7.B.3
|
|
None
(Host Interrogation, Delayed (Manual))
|
Minimum detection criteria was not met for this procedure.
[1]
|
|
9.B.6
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (green; low severity) called Data Encrypted was generated due to powershell.exe executing rar.exe with command-line arguments to encrypt working.zip. The event was correlated to a parent Technique detection on powershell.exe.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to encrypt working.zip.
[1]
|
|
9.B.7
|
|
|
A Technique alert detection (green; low severity) called "T1002_Data_Compressed" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to compress working.zip.
[1]
|
|
17.C.1
|
|
|
An MSSP detection occurred contained evidence of data compression.
[1]
|
|
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
-
Additional PowerShell logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
[1]
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
powershell.exe creating the file draft.zip
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
[1]
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
[1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
[1]