Home >
Enterprise >
Participants >
FireEye >
Archive Collected Data: Archive via Utility (T1560.001)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
20.B.4
|
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.4
|
|
|||||||
2.A.5
|
|
|||||||
7.B.2
|
|
|||||||
7.B.3
|
|
|||||||
9.B.6
|
|
|||||||
9.B.7
|
|
|||||||
17.C.1
|
|
Procedure
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
APT3 |
||||||||||||||
Step | ATT&CK Pattern |
|
||||||||||||
19.B.1.1
|
|
|||||||||||||
19.B.1.2
|
|
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file