Home >
Enterprise >
Participants >
GoSecure >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten \"Capabilities\" that are part of the taxonomy.


Procedure
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: Credential dump capability involved process injection into lsass
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Footnotes
- At least one condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Footnotes
- For this alert, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Footnotes
- The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.


Procedure
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: WinEnum module included enumeration of user information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of password policy information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of recently opened files
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of interesting files
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of clipboard contents
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of system information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of Windows update information
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of system information via a Registry query
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of services
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of available shares
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of mapped network drives
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of AV solutions
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of firewall rules
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of network adapters
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: WinEnum module included enumeration of established network connections
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Footnotes
- The vendor noted the capability can create a new condition that would track all actions on a certain file of interest. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in keylogging module included residual enumeration of application windows
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]


[4]


Procedure
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]


[4]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]


Procedure
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Footnotes
- The condition contributing to enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.


Procedure
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
Footnotes
- The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.


Procedure
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Footnotes
- The capability may have been modified after the start of the evaluation to create these alerts, so the detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
Footnotes
- The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.


Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Footnotes
- The condition contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Footnotes
- The capability may have been modified after the start of the evaluation to create this alert, so the detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.


[2]


Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Procedure
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Lsass.exe Registry read event exclusion was removed from the configuration. The exclusion is in place because it's noisy.


Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Procedure
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated the computer name using the GetComputerNameEx API
Criteria
powershell.exe executing the GetComputerNameEx API
Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria
powershell.exe executing Get-WmiInstance
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Compressed a staging directory using PowerShell
Criteria
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
Procedure
Executed WMI persistence on user login
Criteria
The WMI process (wmiprvse.exe) executing powershell.exe
Procedure
Executed PowerShell payload from WMI event subscription persistence
Criteria
SYSTEM-level powershell.exe spawned from the powershell.exe
Criteria
powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode
Criteria
powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4
Criteria
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)
Criteria
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Data Sources
- Process Monitoring
- DLL Monitoring
Footnotes
- Image removed due to proprietary information. MITRE confirmed detection
Criteria
powershell.exe downloads uac-samcats.ps1 from 192.168.0.4
Data Sources
- Process Monitoring
- Network Monitoring
- File Monitoring
Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Criteria
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
Data Sources
- Network Monitoring
- Process Monitoring
Criteria
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll