Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
7.B.4
|
|
General
(Alert, Configuration Change (Detections))
|
A General alert detection (low severity) was generated due to rundll32.exe connecting to 192.168.0.4 via WebDav.
[1]
|
|
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
-
The vendor added a new detection for the technique.
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
19.C.1
|
|
|
The capability enriched powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol.
|
|
Telemetry showed powershell.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a trace detection on cmd.exe.
|
|
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel