Home >
Enterprise >
Participants >
GoSecure >
Collection (TA0009)
|
|
Carbanak+FIN7 |
||||||
Step | ATT&CK Pattern |
|
||||
2.B.4
|
Technique Screen Capture (T1113) |
|
||||
5.B.5
![]() |
Technique Data from Local System (T1005) |
|
||||
5.B.6
![]() |
Technique Data from Local System (T1005) |
|
||||
9.A.4
|
Technique Screen Capture (T1113) |
|
||||
9.A.5
|
Technique Data from Local System (T1005) |
|
||||
13.B.4
|
Technique Screen Capture (T1113) |
|
||||
18.A.2
|
Technique Screen Capture (T1113) |
|
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
2.A.2
|
Technique Automated Collection (T1119) |
|
||||||
2.A.3
|
Technique Data from Local System (T1005) |
|
||||||
2.A.4
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
2.A.5
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
7.A.1
|
Technique Screen Capture (T1113) |
|
||||||
7.A.2
|
Technique Clipboard Data (T1115) |
|
||||||
7.A.3
|
|
|||||||
7.B.1
|
Technique Data from Local System (T1005) |
|
||||||
7.B.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
7.B.3
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
9.B.3
|
Technique Automated Collection (T1119) |
|
||||||
9.B.4
|
Technique Data from Local System (T1005) |
|
||||||
9.B.5
|
|
|||||||
9.B.6
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
9.B.7
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||||
17.A.1
|
Technique Email Collection (T1114) Subtechnique Email Collection: Local Email Collection (T1114.001) |
|
||||||
17.B.1
|
Technique Data from Local System (T1005) |
|
||||||
17.B.2
|
|
|||||||
17.C.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
8.C.1.1
|
|
|||||
9.B.1.1
|
Technique Data from Network Shared Drive (T1039) |
|
||||
12.E.1.5
|
Technique Clipboard Data (T1115) |
|
||||
15.A.1.1
|
|
|||||
18.B.1.1
|
|
|||||
18.B.1.2
|
Technique Data from Network Shared Drive (T1039) |
|
||||
19.B.1.1
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
||||
19.B.1.2
|
Technique Archive Collected Data (T1560) Subtechnique Archive Collected Data: Archive via Utility (T1560.001) |
|
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: WinEnum module included enumeration of clipboard contents
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Footnotes
- The vendor noted the capability can create a new condition that would track all actions on a certain file of interest. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.