Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.1.1
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
18.B.1.2
|
|
|
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent \"Powershell executed encoded commands\" alert.
[1]
|
|
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
-
Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
[1]