Home >
Enterprise >
Participants >
RSA >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Procedure
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Procedure
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.
Procedure
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Footnotes
- Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.
- Vendor stated file hash is also available that could be used with sources like Virustotal to identify the binary. YARA is also supported and rules could be created to identify WinRAR.


Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel