Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
A Technique detection named "T1204 - User Execution" was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Behavior: Office Product executed system tool" (High) was generated when winword.exe loaded VBE7.DLL and spawned 1-list.rtf.
[1]
|
|
|
|
|
|
|
A Technique detection named "wscript.exe executed a script" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1140 - Deobfuscate/Decode Files or Information" was generated when wscript.exe decoded and created starter.vbs.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1140 - Deobfuscate/Decode Files or Information" was generated when wscript.exe decoded and created TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
|
|
A Technique detection named "wscript.exe started this child process" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
A Tactic detection named "wscript.exe started this child process" was generated when wscript.exe spawned cmd.exe.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "cmd.exe started this child process" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when wscript.exe downloaded screenshot__.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "T1059 - Command-Line Interface" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Tactic detection named "TA0002 - Execution" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
A Technique detection named "Behavior: T1113 - Screen Capture" (Medium) was generated when powershell.exe executed CopyFromScreen().
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1041 - Exfiltration over Command and Control Channel" was generated when wscript.exe uploaded screenshot__.png to 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Process: T1059 - Command-Line Interface" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Behavior: MITRE ATTACK - Modify Registry, T1112 - Modify Registry" was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
[2]
[3]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Behavior: T1105 - Remote File Copy - Powershell" (Medium) was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
A Technique detection named "Process: T1059 - Command-Line Interface - Windows" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Process: MITRE ATTACK - Powershell, T1086 - Powershell" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Tactic detection named "TA0002 - Execution" was generated when powershell.exe executed the shellcode from the Registry by calling the CreateThread() API.
[1]
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Tactic detection named "Behavior: LDAP over Powershell" (Medium) was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "T1078 - Valid Accounts" was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
[2]
|
|
A Tactic detection named "TA0011 - Command and Control" was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Tactic detection named "TA0011 - Command and Control" was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "T1086 - Powershell" was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "powershell.exe wrote to this registry value" was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
A Tactic detection named "TA0005 - Defense Evasion" was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1088 - Bypass User Account Control" was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
|
|
|
|
|
|
|
A Technique detection named "Process: T1059 - Command-Line Interface" was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Process Access: Unsigned Process Accessing LSASS" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded pscp.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded psexec.py from 192.168.0.4.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded runtime from 192.168.0.4.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when powershell.exe downloaded tiny.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1059 - Command-Line Interface" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1078 - Valid Accounts" was generated when User kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when pscp.exe copied psexec.py to 10.0.0.7.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when pscp.exe copied runtime to 10.0.0.7.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when pscp.exe copied tiny.exe to 10.0.0.7.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1021 - Remote Services" was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "T1078 - Valid Accounts" was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1057 - Process Discovery" was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection was generated when user kmitnick executed ls -lsahR /var/.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1005 - Data From Local System" was generated when user kmitnick read network-diagram-financial.xml via cat.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1005 - Data From Local System" was generated when user kmitnick read help-desk-ticket.txt via cat.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1018 - Remote System Discovery" was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "File: T1021.002 - Remote Services - SMBWindows Admin Shares" (Medium) was generated when a file was created in the Windows directory by a system process.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1035 - Service Execution" was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
|
|
|
A Technique detection named "File: T1021.002 - Remote Services - SMBWindows Admin Shares" (Medium) was generated when tiny.exe was created on 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "T1059 - Command-Line Interface" was generated when cmd.exe spawned tiny.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Behavior: Unsigned Process Loading PowerShell DLL" (Medium) was generated when tiny.exe loaded system.management.automation.dll.
[1]
|
|
|
|
|
|
|
A Tactic detection named "TA0007 - Discovery" was generated when PowerShell executed Get-ADComputer.
[1]
|
|
|
|
|
|
|
A Technique detection named "TA0007 - Account Discovery" was generated when PowerShell executed Get-NetUser.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when tiny.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "T1059 - Command-Line Interface" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "T1078 - Valid Accounts" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
A Technique detection named "T1076 - Remote Desktop Protocol" was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1033 - System Owner-User Discovery" was generated when powershell.exe executed qwinsta /server:cfo.
[1]
|
|
|
|
|
|
|
A Technique detection named "T1078 - Valid Accounts" was generated when User kmitnick logged on to cfo (10.0.0.5).
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "T1076 - Remote Desktop Protocol" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
[2]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "scp.exe wrote to this file" was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Registry: HKLM Run or RunOnce Key Modified" (Medium) was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
A Technique detection named "T1064 - Scripting" was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
A General detection named "Deepscan:generic.exploit.shellcode" was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Tactic detection named "File: File written to user temp folder" (Low) was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1055 - Process Injection" was generated when Java-Update.exe injected into explorer.exe.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Tactic detection named "TA0011 - Command and Control" was generated when explorer.exe downloaded infosMin48.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "T1107 - File Deletion" was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "T1105 - Remote File Copy" was generated when explorer.exe downloaded tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Tactic detection named "TA0011 - Command and Control" was generated when explorer.exe downloaded vnc-settings.reg from 192.168.0.4.
[1]
|
|
A Technique detection named "T1105 - Remote File Copy" was generated when explorer.exe downloaded vnc-settings.reg from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "T1060 - Registry Run Keys Startup Folder" (?) was generated when msiexec.exe added the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "T1112 - Modify Registry" was generated when subkeys added to HKLM\Software\TightVNC\Server via vnc-settings.reg.
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "T1112 - Modify Registry" was generated when Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
|
|
|