Home >
Enterprise >
Participants >
RSA >
Defense Evasion (TA0005)
|
|
APT3 |
||||
Step | ATT&CK Pattern |
|
||
3.A.1.2
|
|
|||
5.B.1
|
|
|||
16.C.1
|
|
|||
16.I.1.2
|
|
|||
17.B.1
|
|
|||
17.B.2
|
|
|||
19.A.1.1
|
Technique Masquerading (T1036) |
|
||
19.B.1.3
|
Technique Masquerading (T1036) |
|
||
19.D.1
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
||
19.D.2
|
Technique Indicator Removal on Host (T1070) Subtechnique Indicator Removal on Host: File Deletion (T1070.004) |
|
Procedure
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy.
Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.
- Vendor stated file hash is also available that could be used with sources like Virustotal to identify the binary. YARA is also supported and rules could be created to identify WinRAR.

