Home >
Enterprise >
Participants >
RSA >
Collection (TA0009)
|
|
APT3 |
||||
Step | ATT&CK Pattern |
|
||
8.C.1.1
|
|
|||
9.B.1.1
|
Technique Data from Network Shared Drive (T1039) |
|
||
12.E.1.5
|
Technique Clipboard Data (T1115) |
|
||
15.A.1.1
|
|
|||
18.B.1.1
|
|
|||
18.B.1.2
|
Technique Data from Network Shared Drive (T1039) |
|
||
19.B.1.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
19.B.1.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.