Home >
Enterprise >
Participants >
Elastic >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Footnotes
- During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.


Procedure
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Footnotes
- During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.


[2]


Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: WinEnum module included enumeration of Windows update information
Footnotes
- Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Procedure
Empire: WinEnum module included enumeration of established network connections
Footnotes
- Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


[3]


Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Had malicious access to it_tasks been detected, response actions allow file retrieval which could have identified credentials in files.
Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


[3]


Procedure
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


[3]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.


[2]


Procedure
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Footnotes
- Telemetry was available for the write file of shockwave_network.vsdx into the Recycle Bin, but no data was available that indicated it came from a network shared drive.
Procedure
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Footnotes
- Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Footnotes
- Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- Configuration changes were made to add detection logic.


Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Footnotes
- Configuration changes were made to increase detection capability, specifically additional API monitoring.


[2]


Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Configuration changes were made to loosen rule logic and/or black lists.


Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Configuration changes were made to loosen rule logic and/or black lists.


Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Footnotes
- Configuration changes were made to increase detection capability, specifically additional API monitoring.


Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Windows Registry


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll