Home >
Enterprise >
Participants >
FireEye >
Command and Control (TA0011)
|
|
Carbanak+FIN7 |
||||||||||
Step | ATT&CK Pattern |
|
||||||||
1.A.10
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
1.A.11
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
2.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
3.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
3.B.7
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||||
4.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
4.B.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
5.A.5
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||||
7.C.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
7.C.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
8.A.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
8.A.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
9.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
10.B.1
|
Technique Remote Access Software (T1219) |
|
||||||||
12.A.3
|
Technique Application Layer Protocol (T1071) |
|
||||||||
12.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
13.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
14.A.6
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
14.A.7
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
15.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
15.A.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
16.A.8
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
16.A.9
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
17.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
17.A.5
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
17.A.6
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
19.A.3
|
Technique Proxy (T1090) |
|
||||||||
19.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
19.B.4
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
20.A.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||
20.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||
20.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||
20.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
APT29 |
||||||||||||
Step | ATT&CK Pattern |
|
||||||||||
1.A.3
|
Technique Non-Application Layer Protocol (T1095) |
|
||||||||||
1.A.4
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Symmetric Cryptography (T1573.001) |
|
||||||||||
3.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
3.B.3
|
Technique Commonly Used Port (T1043) |
|
||||||||||
3.B.4
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||||
3.B.5
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||||
4.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
8.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
9.A.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
9.A.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
9.B.8
|
|
|||||||||||
11.A.13
|
Technique Commonly Used Port (T1043) |
|
||||||||||
11.A.14
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||||||||
11.A.15
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||||||||
14.B.3
|
Technique Ingress Tool Transfer (T1105) |
|
||||||||||
18.A.1
|
Technique Web Service (T1102) |
|
Procedure
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria
Established network channel over port 1234
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria
Established network channel over port 443
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria
powershell.exe downloading and/or the file write of m.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Mapped a network drive to an online OneDrive account using PowerShell
Criteria
net.exe with command-line arguments then making a network connection to a public IP over port 443
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.C.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
1.C.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: DNS (T1071.004) |
|
||||
1.C.1.3
|
|
|||||
6.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
6.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
6.B.1.3
|
Technique Multiband Communication (T1026) |
|
||||
7.B.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
11.B.1.1
|
Technique Commonly Used Port (T1043) |
|
||||
11.B.1.2
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
11.B.1.3
|
Technique Encrypted Channel (T1573) Subtechnique Encrypted Channel: Asymmetric Cryptography (T1573.002) |
|
||||
14.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
||||
14.A.1.3
|
Technique Application Layer Protocol (T1071) Subtechnique Application Layer Protocol: Web Protocols (T1071.001) |
|
||||
14.A.1.4
|
Technique Commonly Used Port (T1043) |
|
||||
16.E.1
|
Technique Ingress Tool Transfer (T1105) |
|
||||
19.A.1.2
|
Technique Ingress Tool Transfer (T1105) |
|
Procedure
Cobalt Strike: C2 channel established using port 53
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Cobalt Strike: C2 channel modified to use port 80
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


Procedure
Empire: C2 channel established using port 443
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


Procedure
Empire: Encrypted C2 channel established using HTTPS
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


Procedure
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]


Procedure
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Footnotes
- Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.


[2]


[3]

