Home >
Enterprise >
Participants >
ReaQta >
Exfiltration (TA0010)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.5
|
|
|||||
13.B.5
|
|
|||||
20.B.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
20.B.5
|
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
2.B.1
|
|
|||
7.B.4
|
|
|||
18.A.2
|
|
Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.

