Home >
Enterprise >
Participants >
FireEye >
Collection (TA0009)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.B.4
|
Technique Screen Capture (T1113) |
|
||||||
5.B.5
![]() |
Technique Data from Local System (T1005) |
|
||||||
5.B.6
![]() |
Technique Data from Local System (T1005) |
|
||||||
9.A.4
|
Technique Screen Capture (T1113) |
|
||||||
9.A.5
|
Technique Data from Local System (T1005) |
|
||||||
13.B.4
|
Technique Screen Capture (T1113) |
|
||||||
18.A.2
|
Technique Screen Capture (T1113) |
|
Criteria
explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4
Data Sources
- Network Monitoring
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique Automated Collection (T1119) |
|
||||||
2.A.3
|
Technique Data from Local System (T1005) |
|
||||||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
7.A.1
|
Technique Screen Capture (T1113) |
|
||||||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||||||
7.A.3
|
|
|||||||
7.B.1
|
Technique Data from Local System (T1005) |
|
||||||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
9.B.3
|
Technique Automated Collection (T1119) |
|
||||||
9.B.4
|
Technique Data from Local System (T1005) |
|
||||||
9.B.5
|
|
|||||||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||||||
17.B.1
|
Technique Data from Local System (T1005) |
|
||||||
17.B.2
|
|
|||||||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria
powershell.exe creating the file working.zip
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
APT3 |
||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||
8.C.1.1
|
|
|||||||||||||
9.B.1.1
|
Technique Data from Network Shared Drive (T1039) |
|
||||||||||||
12.E.1.5
|
Technique Clipboard Data (T1115) |
|
||||||||||||
15.A.1.1
|
|
|||||||||||||
18.B.1.1
|
|
|||||||||||||
18.B.1.2
|
Technique Data from Network Shared Drive (T1039) |
|
||||||||||||
19.B.1.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||||||||
19.B.1.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: WinEnum module included enumeration of clipboard contents
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file