Home  >  APT29  >  Results  >  Elastic  >  Remote File Copy

Technique Results: Remote File Copy (T1105) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Dropped stage 2 payload (monkey.png) to disk
The rcs.3aka3.doc process creating the file monkey.png
3.A.1
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The event was correlated to a parent General detection for malicious file execution. [1]
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
powershell.exe creating the file SysinternalsSuite.zip
4.A.1
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for malicious file execution. [1]
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
The file python.exe created on Scranton (10.0.1.4)
8.B.1
General (Alert)
A General alert detection (high severity; red indicator) was generated for the malicious file create event of python.exe. [1]
Telemetry
Telemetry showed a file create event of python.exe. [1]
Dropped rar.exe to disk on remote host Scranton (10.0.1.4) 
python.exe creating the file rar.exe
9.A.1
Telemetry (Correlated)
Telemetry showed file created event for python.exe creating rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4) 
python.exe creating the file sdelete64.exe
9.A.2
Telemetry (Correlated)
Telemetry showed File Created event for python.exe creating sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Downloaded and dropped Mimikatz (m.exe) to disk
powershell.exe downloading and/or the file write of m.exe
14.B.3
General (Alert, Correlated)
A General alert detection (medium severity) for "Suspicious Download Command via PowerShell" was generated for the PowerShell command to download m.exe. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed the file write event for m.exe into the System32 folder. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
File write of m.exe by the WinRM process (wsmprovhost.exe)
16.D.1
General (Correlated, Alert)
A General alert detection (red indicator) was generated for the creation of a malicious file (m.exe). The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]
Telemetry (Correlated)
Telemetry showed a file write event for m.exe in the System32 directory by wsmprovhost.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]