Home >
Enterprise >
Participants >
ReaQta >
Ingress Tool Transfer (T1105)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.1
|
Tactic Command and Control (TA0011) |
|
||||
3.B.1
|
Tactic Command and Control (TA0011) |
|
||||
4.B.1
|
Tactic Command and Control (TA0011) |
|
||||
4.B.2
|
Tactic Command and Control (TA0011) |
|
||||
5.A.1
|
Tactic Command and Control (TA0011) |
|
||||
5.A.2
|
Tactic Command and Control (TA0011) |
|
||||
5.A.3
|
Tactic Command and Control (TA0011) |
|
||||
5.A.4
|
Tactic Command and Control (TA0011) |
|
||||
5.A.5
|
Tactic Command and Control (TA0011) |
|
||||
7.A.1
|
Tactic Command and Control (TA0011) |
|
||||
7.C.1
|
Tactic Command and Control (TA0011) |
|
||||
7.C.3
|
Tactic Command and Control (TA0011) |
|
||||
9.A.1
|
Tactic Command and Control (TA0011) |
|
||||
9.B.1
|
Tactic Command and Control (TA0011) |
|
||||
10.A.1
|
Tactic Command and Control (TA0011) |
|
||||
10.A.2
|
Tactic Command and Control (TA0011) |
|
||||
12.B.1
|
Tactic Command and Control (TA0011) |
|
||||
13.B.1
|
Tactic Command and Control (TA0011) |
|
||||
15.A.2
|
Tactic Command and Control (TA0011) |
|
||||
15.A.3
|
Tactic Command and Control (TA0011) |
|
||||
16.A.1
|
Tactic Command and Control (TA0011) |
|
||||
16.A.2
|
Tactic Command and Control (TA0011) |
|
||||
17.A.1
|
Tactic Command and Control (TA0011) |
|
||||
19.B.3
|
Tactic Command and Control (TA0011) |
|
||||
19.B.4
|
Tactic Command and Control (TA0011) |
|
||||
20.B.1
|
Tactic Command and Control (TA0011) |
|
||||
20.B.3
|
Tactic Command and Control (TA0011) |
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
3.A.1
|
Tactic Command and Control (TA0011) |
|
||||
4.A.1
|
Tactic Command and Control (TA0011) |
|
||||
8.B.1
|
Tactic Command and Control (TA0011) |
|
||||
9.A.1
|
Tactic Command and Control (TA0011) |
|
||||
9.A.2
|
Tactic Command and Control (TA0011) |
|
||||
14.B.3
|
Tactic Command and Control (TA0011) |
|
Procedure
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria
The file python.exe created on Scranton (10.0.1.4)
Procedure
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria
powershell.exe downloading and/or the file write of m.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.