Carbanak+FIN7
|
The technique was not in scope.
|
APT29
|
The technique was not in scope.
|
APT3
|
Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
6.B.1.3
|
|
|
Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
[1]
[2]
|
|
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
[1]
[2]