Home >
Enterprise >
Participants >
Malwarebytes >
Collection (TA0009)
|
|
Carbanak+FIN7 |
||||
Step | ATT&CK Pattern |
|
||
2.B.4
|
Technique Screen Capture (T1113) |
|
||
5.B.5
![]() |
Technique Data from Local System (T1005) |
|
||
5.B.6
![]() |
Technique Data from Local System (T1005) |
|
||
9.A.4
|
Technique Screen Capture (T1113) |
|
||
9.A.5
|
Technique Data from Local System (T1005) |
|
||
13.B.4
|
Technique Screen Capture (T1113) |
|
||
18.A.2
|
Technique Screen Capture (T1113) |
|
APT29 |
||||
Step | ATT&CK Pattern |
|
||
2.A.2
|
Technique Automated Collection (T1119) |
|
||
2.A.3
|
Technique Data from Local System (T1005) |
|
||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
7.A.1
|
Technique Screen Capture (T1113) |
|
||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||
7.A.3
|
|
|||
7.B.1
|
Technique Data from Local System (T1005) |
|
||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
9.B.3
|
Technique Automated Collection (T1119) |
|
||
9.B.4
|
Technique Data from Local System (T1005) |
|
||
9.B.5
|
|
|||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||
17.B.1
|
Technique Data from Local System (T1005) |
|
||
17.B.2
|
|
|||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe executing Compress-Archive
Footnotes
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.
- Exiting event details shows correlation of detections.


Procedure
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe creating the file draft.zip
Footnotes
- Exiting event details shows correlation of detections.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Procedure
Captured user keystrokes using the GetAsyncKeyState API
Criteria
powershell.exe executing the GetAsyncKeyState API
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Footnotes
- Exiting event details shows correlation of detections.
- Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change.


Procedure
Encrypted data from the user's Downloads directory using PowerShell
Criteria
powershell.exe executing Compress-7Zip with the password argument used for encryption
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria
powershell.exe creating the file working.zip
Procedure
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Procedure
Dumped messages from the local Outlook inbox using PowerShell
Criteria
outlook.exe spawning from svchost.exe or powershell.exe
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Staged collected file into directory using PowerShell
Criteria
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML