Home >
Enterprise >
Participants >
HanSight >
Collection (TA0009)
|
|
APT29 |
||||||
Step | ATT&CK Pattern |
|
||||
2.A.2
|
Technique Automated Collection (T1119) |
|
||||
2.A.3
|
Technique Data from Local System (T1005) |
|
||||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.A.1
|
Technique Screen Capture (T1113) |
|
||||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||||
7.A.3
|
|
|||||
7.B.1
|
Technique Data from Local System (T1005) |
|
||||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.3
|
Technique Automated Collection (T1119) |
|
||||
9.B.4
|
Technique Data from Local System (T1005) |
|
||||
9.B.5
|
|
|||||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||||
17.B.1
|
Technique Data from Local System (T1005) |
|
||||
17.B.2
|
|
|||||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe executing Compress-Archive
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe creating the file draft.zip
Procedure
Captured user keystrokes using the GetAsyncKeyState API
Criteria
powershell.exe executing the GetAsyncKeyState API
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria
powershell.exe creating the file working.zip
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML