APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.B.4
|
|
|
Telemetry showed PoweShell Copy-Item to remote a remote adversary WebDav network share (192.168.0.4).
[1]
[2]
[3]
|
|
An MSSP detection for "Exfiltration - Exfiltration Over Alternative Protocol" occurred containing evidence of PoweShell Copy-Item to remote WebDav network share (192.168.0.4:80).
[1]
|
|
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]
[2]
[3]
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
[1]