Home >
Enterprise >
Participants >
Symantec >
Indicator Removal on Host (T1070)
|
|
See technique results for:
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
9.B.3
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
4.B.2
|
|
|||||||
4.B.3
|
|
|||||||
4.B.4
|
|
|||||||
9.C.1
|
|
|||||||
9.C.2
|
|
|||||||
9.C.3
|
|
|||||||
9.C.4
|
|
|||||||
12.A.2
|
|
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).


Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual).

