detection-hackathon-apt29
detection-hackathon-apt29 copied to clipboard
OTRF
Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
# Description The attacker enumerates the environment’s domain controller (T1018)
# Description The attacker uses the renewed access to generate a Kerberos Golden Ticket (T1097), using materials from the earlier breach, which is used to establish a remote PowerShell session...
7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol
The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).
# Description The payload in the Startup folder executes a follow-on payload using a stolen token (T1106, T1134).
# Description The attacker then elevates privileges via a user account control (UAC) bypass (T1122, T1088), which executes the newly added payload. A new C2 connection is established over port...
# Description The original victim is rebooted and the legitimate user logs in, emulating ordinary usage and a passage of time. This activity triggers the previously established persistence mechanisms, namely...
# Description Finally, the attacker deletes various files (T1107) associated with that access
# Description The attacker runs a PowerShell one-liner command (T1086) to search for filesystem for document and media files (T1083, T1119). Files of interested are collected (T1005) then encrypted (T1022)...
# Description The attacker uploads additional utilities to the secondary victim (T1105)