Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
|
|
|
|
A Tactic detection named "Execution" (Low) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "T1059 Command-Line Interface" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "T1059 Command-Line Interface" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "T1086 PowerShell" (Low) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "T1059 Command-Line Interface" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "Suspicious process (cmd.exe) is created" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Detected Fileless attack (PE file thread injection)" was generated when powershell.exe executed the shellcode from the Registry by calling the CreateThread() API.
[1]
|
|
A Technique detection named "Detected Fileless attack (Thread injection)" was generated when powershell.exe executed the shellcode from the Registry by calling the CreateThread() API.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Detected the behavior of changing specific registry key for elevation of privileges using Windows vulnerabilities." was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
A Technique detection named "T1088 Bypass User Account Control" (Medium) was generated when powershell.exe added a Registry value under shell\open.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Detected the behavior of accessing a process (lsass.exe) memory for the purpose of stealing account information (Credentials)." was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A General detection named "Creates a PE file. The created file could be a malware." (High) was generated when powershell.exe created tiny.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "T1059 Command-Line Interface" (Low) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Tactic
(Configuration Change (Data Sources))
|
A Tactic detection named "Execution" (Low) was generated when cmd.exe spawned from a service executable.
[1]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
General
(Configuration Change (Data Sources))
|
A General detection named "Detected Fileless attack (PE file thread injection)" was generated when tiny.exe loaded shellcode from a network connection into memory.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Technique
(Configuration Change (Data Sources))
|
A Technique detection named "T1059 Command-Line Interface" (Low) was generated when tiny.exe spawned cmd.exe.
[1]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Registers autorun program to HKLM" was generated when registers autorun program to HKLM.
[1]
|
|
A Technique detection named "T1060 Registry Run Keys / Startup Folder" (Low) was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run via reg.exe.
[1]
|
|
|
|
|
|
|
|
A General detection named "Detects abnormal HTTP packets" was generated when java-update.exe connected to 192.168.0.4 over port 80.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Deletes executable file" was generated when powershell.exe deleted PE files from the temp directory.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Changes firewall settings by running process or command prompt." was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
|
|
|
|
|
|
|
A Tactic detection named "Registers autorun program to HKLM" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
A Technique detection named "T1060 Registry Run Keys / Startup Folder" (Low) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|