Home  >  APT29  >  Results  >  Elastic  >  Exfiltration

Tactic Results: Exfiltration (TA0010) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Exfiltration Over Command and Control Channel
(T1041)
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
2.B.1
Telemetry (Configuration Change (Detections))
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port TCP 1234). [1] [2]
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
python.exe reading the file working.zip while connected to the C2 channel
9.B.8
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over TCP port 8443). This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
Exfiltration Over Alternative Protocol
(T1048)
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
7.B.4
Telemetry (Correlated)
Telemetry showed PoweShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). The event was correlated to a parent General detection for malicious file execution. [1]
Exfiltrated staged collection to an online OneDrive account using PowerShell
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
18.A.2
Telemetry (Correlated)
Telemetry showed PowerShell executing Copy-Item to exfiltrate data to a previously mapped OneDrive account. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Data Encrypted
(T1022)
Encrypted data from the user's Downloads directory using PowerShell
powershell.exe executing Compress-7Zip with the password argument used for encryption
7.B.3
Telemetry (Correlated)
Telemetry showed Powershell.exe executing Compress-7Zip ... -password "lolol". The event was correlated to a parent General detection for malicious file execution. [1]
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
9.B.6
Technique (Correlated, Alert)
A Technique alert detection (yellow indicator; medium severity) for "Encrypting Files with WinRar" "T1022 Data Encrypted" was generated when rar.exe used "-hp" command-line arguments. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Data Compressed
(T1002)
Compressed and stored files into ZIP (Draft.zip) using PowerShell
powershell.exe executing Compress-Archive
2.A.4
Technique (Correlated)
A Technique detection for "Data Compressed" was generated for powershell.exe compressing via Compress-Archive. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe compressing via Compress-Archive. The event was correlated to a parent General detection for malicious file execution. [1]
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
powershell.exe creating the file OfficeSupplies.7z
7.B.2
Telemetry (Correlated)
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent alert for malicious file execution. [1]
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
powershell.exe executing rar.exe
9.B.7
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "T1002 Data Compressed" was generated when rar.exe used "-hp" command-line arguments. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
Compressed a staging directory using PowerShell
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
17.C.1
Telemetry (Correlated)
Telemetry showed PowerShell compressing collection via the ZipFile.CreateFromDirectory .NET method. The detection was correlated to a parent alert for a suspicious Windows script. [1]