APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
4.B.2
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution.
[1]
|
|
4.B.3
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution.
[1]
|
|
4.B.4
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution.
[1]
|
|
9.C.1
|
|
Technique
(Configuration Change (Detections), Alert, Correlated)
|
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
|
9.C.2
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip.
[1]
|
|
9.C.3
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
Technique
(Alert, Configuration Change (Detections), Correlated)
|
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting Roaming\working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
|
9.C.4
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "ATT&CK T1107 File Deletion" was generated when cmd.exe deleted sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe.
[1]
|
|
12.A.2
|
|
|
Telemetry showed the modification of the timestamp of kxwn.lock, as well as the contents of the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (low severity) for "Timestomping" was generated for the modification of the timestamp of kxwn.lock. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (medium severity) for "ATT&CK T1099 Timestomp" was generated for PowerShell calling the NtSetInformationFile API. The event was correlated to a parent General detection for a suspicious Windows script.
[1]
|
|