Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
9.B.5
|
|
|
Telemetry showed a File Creation event for powershell.exe creating working.zip.The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1074" occurred containing evidence of working.zip creation from file creation events.
[1]
|
|
17.B.2
|
|
|
Telemetry showed the file create event for MITRE-ATTACK-EVALS.HTML. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1074" occurred containing evidence of Copy-Item with ..\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML being the destination file.
[1]
|
|
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
powershell.exe creating the file working.zip
[1]
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
powershell.exe creating the file working.zip
[1]
Staged collected file into directory using PowerShell
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
[1]
Staged collected file into directory using PowerShell
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
[1]
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
18.B.1.1
|
|
|
Telemetry showed file write of the .vsdx to the Recycle Bin. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
[1]
|
|
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
[1]