Home >
Enterprise >
Participants >
CrowdStrike >
Unsecured Credentials (T1552)
|
|
Carbanak+FIN7 |
||
The technique was not in scope. |
APT29 |
||||
Step | ATT&CK Pattern |
|
||
6.A.1
|
Tactic Credential Access (TA0006) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
||
6.B.1
|
|
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
15.B.1
|
Tactic Credential Access (TA0006) Subtechnique Unsecured Credentials: Credentials in Files (T1552.001) |
|
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.


[2]


[3]

