Home >
Enterprise >
Participants >
Secureworks >
Archive Collected Data (T1560)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.4
|
|
|||||
2.A.5
|
|
|||||
7.B.2
|
|
|||||
7.B.3
|
|
|||||
9.B.6
|
|
|||||
9.B.7
|
|
|||||
17.C.1
|
|
Procedure
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe creating the file draft.zip
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Procedure
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.