Home >
Enterprise >
Participants >
Bitdefender >
Indicator Removal on Host (T1070)
|
|
See technique results for:
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
9.B.3
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
4.B.2
|
|
|||||||
4.B.3
|
|
|||||||
4.B.4
|
|
|||||||
9.C.1
|
|
|||||||
9.C.2
|
|
|||||||
9.C.3
|
|
|||||||
9.C.4
|
|
|||||||
12.A.2
|
|
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]

