19.B.1.1
Procedure:
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Detections:
19.B.1.2
Procedure:
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Detections:
2.A.4
Procedure:
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe executing Compress-Archive
Detections:
2.A.5
Procedure:
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe creating the file draft.zip
Detections:
7.B.2
Procedure:
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria:
powershell.exe creating the file OfficeSupplies.7z
Detections:
7.B.3
Procedure:
Encrypted data from the user's Downloads directory using PowerShell
Criteria:
powershell.exe executing Compress-7Zip with the password argument used for encryption
Detections:
9.B.6
Procedure:
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Detections:
9.B.7
Procedure:
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe
Detections:
17.C.1
Procedure:
Compressed a staging directory using PowerShell
Criteria:
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
Detections:
20.B.4
Criteria:
7za.exe creates C:\Users\Public\log.7z
Detections:
2.A.2
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
9.B.3
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
12.E.1.5
Procedure:
Empire: WinEnum module included enumeration of clipboard contents
Detections:
7.A.2
Procedure:
Captured clipboard contents using PowerShell
Criteria:
powershell.exe executing Get-Clipboard
Detections:
9.B.5
Procedure:
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria:
powershell.exe creating the file working.zip
Detections:
17.B.2
Procedure:
Staged collected file into directory using PowerShell
Criteria:
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Detections:
18.B.1.1
Procedure:
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Detections:
2.A.3
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
7.B.1
Procedure:
Read data in the user's Downloads directory using PowerShell
Criteria:
powershell.exe reading files in C:\Users\pam\Downloads\
Detections:
9.B.4
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
17.B.1
Procedure:
Read and collected a local file using PowerShell
Criteria:
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Detections:
5.B.5
Criteria:
User kmitnick reads network-diagram-financial.xml via cat
Detections:
5.B.6
Criteria:
User kmitnick reads help-desk-ticket.txt via cat
Detections:
9.A.5
Criteria:
explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4
Detections:
9.B.1.1
Procedure:
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
18.B.1.2
Procedure:
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
17.A.1
Procedure:
Dumped messages from the local Outlook inbox using PowerShell
Criteria:
outlook.exe spawning from svchost.exe or powershell.exe
Detections:
8.C.1.1
Procedure:
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
8.D.1.1
Procedure:
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Detections:
7.A.1
Procedure:
Captured and saved screenshots using PowerShell
Criteria:
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Detections:
2.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
9.A.4
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
13.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
18.A.2
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
7.A.3
Criteria:
plink.exe transmits data to 192.168.0.4 over SSH protocol
Detections:
12.A.3
Criteria:
Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions
Detections:
1.C.1.2
Procedure:
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Detections:
6.B.1.2
Procedure:
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Detections:
11.B.1.2
Procedure:
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Detections:
14.A.1.3
Procedure:
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Detections:
3.B.4
Procedure:
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is HTTPS
Detections:
11.A.14
Procedure:
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria:
Established network channel over the HTTPS protocol
Detections:
1.A.10
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.2
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.6
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.8
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.5
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.3
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
1.C.1.1
Procedure:
Cobalt Strike: C2 channel established using port 53
Detections:
6.B.1.1
Procedure:
Cobalt Strike: C2 channel modified to use port 80
Detections:
11.B.1.1
Procedure:
Empire: C2 channel established using port 443
Detections:
14.A.1.4
Procedure:
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Detections:
3.B.3
Procedure:
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria:
Established network channel over port 443
Detections:
11.A.13
Procedure:
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria:
Established network channel over port 443
Detections:
1.C.1.3
Procedure:
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Detections:
11.B.1.3
Procedure:
Empire: Encrypted C2 channel established using HTTPS
Detections:
3.B.5
Procedure:
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
11.A.15
Procedure:
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
1.A.11
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.3
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.9
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.6
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.4
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
1.A.4
Procedure:
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
7.B.1
Procedure:
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Detections:
14.A.1.2
Procedure:
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Detections:
16.E.1
Procedure:
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Detections:
19.A.1.2
Procedure:
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Detections:
3.A.1
Procedure:
Dropped stage 2 payload (monkey.png) to disk
Criteria:
The rcs.3aka3.doc process creating the file monkey.png
Detections:
4.A.1
Procedure:
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria:
powershell.exe creating the file SysinternalsSuite.zip
Detections:
8.B.1
Procedure:
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria:
The file python.exe created on Scranton (10.0.1.4)
Detections:
9.A.1
Procedure:
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file rar.exe
Detections:
9.A.2
Procedure:
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file sdelete64.exe
Detections:
14.B.3
Procedure:
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria:
powershell.exe downloading and/or the file write of m.exe
Detections:
2.B.1
Criteria:
wscript.exe downloads screenshot__.ps1 from 192.168.0.4
Detections:
3.B.1
Criteria:
wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4
Detections:
4.B.1
Criteria:
powershell.exe downloads rad353F7.ps1 from 192.168.0.4
Detections:
4.B.2
Criteria:
powershell.exe downloads smrs.exe from 192.168.0.4
Detections:
5.A.1
Criteria:
powershell.exe downloads pscp.exe from 192.168.0.4
Detections:
5.A.2
Criteria:
powershell.exe downloads psexec.py from 192.168.0.4
Detections:
5.A.3
Criteria:
powershell.exe downloads runtime from 192.168.0.4
Detections:
5.A.4
Criteria:
powershell.exe downloads plink.exe from 192.168.0.4
Detections:
5.A.5
Criteria:
powershell.exe downloads tiny.exe from 192.168.0.4
Detections:
7.A.1
Criteria:
tiny.exe downloads plink.exe from 192.168.0.4
Detections:
7.C.1
Criteria:
scp.exe downloads Java-Update.exe from 192.168.0.4
Detections:
7.C.3
Criteria:
cmd.exe downloads Java-Update.vbs from 192.168.0.4
Detections:
9.A.1
Criteria:
Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4
Detections:
9.B.1
Criteria:
explorer.exe downloads infosMin48.exe from 192.168.0.4
Detections:
10.A.1
Criteria:
explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4
Detections:
10.A.2
Criteria:
explorer.exe downloads vnc-settings.reg from 192.168.0.4
Detections:
12.B.1
Criteria:
Adb156.exe downloads stager.ps1 from 192.168.0.6
Detections:
13.B.1
Criteria:
Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions
Detections:
15.A.2
Criteria:
powershell.exe downloads samcat.exe from 192.168.0.4
Detections:
15.A.3
Criteria:
powershell.exe downloads uac-samcats.ps1 from 192.168.0.4
Detections:
16.A.1
Criteria:
powershell.exe downloads paexec.exe from 192.168.0.4
Detections:
16.A.2
Criteria:
powershell.exe downloads hollow.exe from 192.168.0.4
Detections:
17.A.1
Criteria:
svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)
Detections:
19.B.3
Criteria:
powershell.exe downloads dll329.dll from 192.168.0.4
Detections:
19.B.4
Criteria:
powershell.exe downloads sdbE376.tmp from 192.168.0.4
Detections:
20.B.1
Criteria:
rundll32.exe downloads debug.exe from 192.168.0.4
Detections:
20.B.3
Criteria:
rundll32.exe downloads 7za.exe from 192.168.0.4
Detections:
6.B.1.3
Procedure:
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Detections:
1.A.3
Procedure:
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria:
Established network channel over port 1234
Detections:
3.B.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over TCP
Detections:
19.A.3
Criteria:
itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure
Detections:
10.B.1
Criteria:
tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900
Detections:
18.A.1
Procedure:
Mapped a network drive to an online OneDrive account using PowerShell
Criteria:
net.exe with command-line arguments then making a network connection to a public IP over port 443
Detections:
16.A.1.1
Procedure:
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Detections:
16.B.1.3
Procedure:
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Detections:
4.A.3
Criteria:
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
Detections:
6.A.2
Procedure:
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria:
accesschk.exe executing the CryptUnprotectedData API
Detections:
9.B.2
Criteria:
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
Detections:
8.C.1.1
Procedure:
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
5.A.1.1
Procedure:
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Detections:
14.B.4
Procedure:
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
16.D.2
Procedure:
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
4.B.7
Criteria:
smrs.exe opens and reads lsass.exe
Detections:
15.A.6
Criteria:
samcat.exe opens and reads the SAM via LSASS
Detections:
5.A.2.1
Procedure:
Cobalt Strike: Built-in hash dump capability executed
Detections:
6.C.1
Procedure:
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria:
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Detections:
15.B.1
Procedure:
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
6.A.1
Procedure:
Read the Chrome SQL database file to extract encrypted credentials
Criteria:
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Detections:
6.B.1
Procedure:
Exported a local certificate to a PFX file using PowerShell
Criteria:
powershell.exe creating a certificate file exported from the system
Detections:
3.A.1.1
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Detections:
14.A.1.1
Procedure:
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
3.A.1.2
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Detections:
5.B.1
Procedure:
Cobalt Strike: Built-in token theft capability executed to change user context to George
Detections:
4.A.3
Procedure:
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
Criteria:
powershell.exe executing Expand-Archive
Detections:
11.A.10
Procedure:
Decoded an embedded DLL payload to disk using certutil.exe
Criteria:
certutil.exe decoding kxwn.lock
Detections:
14.B.6
Procedure:
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria:
powershell.exe executing Get-WmiInstance
Detections:
1.A.5
Criteria:
wscript.exe decodes content and creates starter.vbs
Detections:
1.A.6
Criteria:
wscript.exe decodes content and creates TransBaseOdbcDriver.js
Detections:
3.B.5
Criteria:
powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode
Detections:
5.C.6
Criteria:
tiny.exe loads shellcode from network connection into memory
Detections:
11.A.5
Criteria:
mshta.exe assembles text embedded within 2-list.rtf into a JS payload
Detections:
14.A.3
Criteria:
powershell.exe decodes an embedded DLL payload
Detections:
14.A.5
Criteria:
powershell.exe loads shellcode from network connection into memory
Detections:
17.B.1
Procedure:
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
Detections:
17.B.2
Procedure:
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
Detections:
11.A.2
Procedure:
Executed an alternate data stream (ADS) using PowerShell
Criteria:
powershell.exe executing the schemas ADS via Get-Content and IEX
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
10.A.3
Criteria:
netsh adds Service Host rule for TCP port 5900
Detections:
19.D.1
Procedure:
Empire: 'del C:\\"$\"Recycle.bin\old.rar'
Detections:
19.D.2
Procedure:
Empire: 'del recycler.exe'
Detections:
4.B.2
Procedure:
Deleted rcs.3aka3.doc on disk using SDelete
Criteria:
sdelete64.exe deleting the file rcs.3aka3.doc
Detections:
4.B.3
Procedure:
Deleted Draft.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file draft.zip
Detections:
4.B.4
Procedure:
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file SysinternalsSuite.zip
Detections:
9.C.1
Procedure:
Deleted rar.exe on disk using SDelete
Criteria:
sdelete64.exe deleting the file rar.exe
Detections:
9.C.2
Procedure:
Deleted working.zip (from Desktop) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \Desktop\working.zip
Detections:
9.C.3
Procedure:
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Detections:
9.C.4
Procedure:
Deleted SDelete on disk using cmd.exe del command
Criteria:
cmd.exe deleting the file sdelete64.exe
Detections:
9.B.3
Criteria:
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
Detections:
16.C.1
Procedure:
Empire: 'net use -delete' via PowerShell
Detections:
12.A.2
Procedure:
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria:
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Detections:
19.A.1.1
Procedure:
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Detections:
19.B.1.3
Procedure:
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Detections:
16.I.1.2
Procedure:
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Detections:
6.A.3
Procedure:
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria:
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Detections:
17.A.2
Criteria:
srrstr.dll is not the legitimate Windows System Protection Configuration Library
Detections:
11.A.6
Criteria:
mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe
Detections:
1.A.2
Procedure:
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria:
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Detections:
3.C.1
Procedure:
Modified the Registry to remove artifacts of COM hijacking
Criteria:
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
14.A.3
Procedure:
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria:
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
3.A.2
Criteria:
cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer
Detections:
4.B.4
Criteria:
powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty
Detections:
10.A.5
Criteria:
Addition of subkeys in HKLM\Software\TightVNC\Server
Detections:
10.A.6
Criteria:
Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
14.B.5
Procedure:
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria:
powershell.exe executing Set-WmiInstance
Detections:
17.C.2
Procedure:
Prepended the GIF file header to a compressed staging file using PowerShell
Criteria:
powershell.exe executing Set-Content
Detections:
1.A.4
Criteria:
unprotected.vbe is an encoded file
Detections:
3.A.3
Criteria:
Value added to Registry is base64 encoded
Detections:
11.A.2
Criteria:
2-list.rtf contains an embedded lnk payload that is dropped to disk
Detections:
19.B.2
Criteria:
powershell.exe executes base64 encoded commands
Detections:
8.B.2
Procedure:
python.exe payload was packed with UPX
Criteria:
Evidence that the file python.exe is packed
Detections:
3.A.2
Procedure:
Embedded PowerShell payload in monkey.png using steganography
Criteria:
Evidence that a PowerShell payload was within monkey.png
Detections:
3.C.1
Procedure:
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Detections:
5.A.1.2
Procedure:
Cobalt Strike: Credential dump capability involved process injection into lsass
Detections:
5.A.2.2
Procedure:
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Detections:
8.D.1.2
Procedure:
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
11.A.3
Criteria:
winword.exe spawns mshta.exe
Detections:
1.A.1.2
Procedure:
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Detections:
20.A.1
Procedure:
Executed Run key persistence payload on user login using RunDll32
Criteria:
rundll32.exe executing kxwn.lock
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
2.G.1
Procedure:
Cobalt Strike: 'net user -domain' via cmd
Detections:
2.G.2
Procedure:
Cobalt Strike: 'net user george -domain' via cmd
Detections:
12.G.2
Procedure:
Empire: 'net user -domain' via PowerShell
Detections:
6.A.3
Criteria:
PowerShell executes Get-NetUser
Detections:
7.A.1.3
Procedure:
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Detections:
12.G.1
Procedure:
Empire: 'net user' via PowerShell
Detections:
8.C.1.2
Procedure:
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Detections:
15.A.1.2
Procedure:
Empire: Built-in keylogging module included residual enumeration of application windows
Detections:
8.A.1
Procedure:
Cobalt Strike: 'dir -s -b \"\\conficker\wormshare\"' via cmd
Detections:
8.A.2
Procedure:
Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd
Detections:
9.A.1
Procedure:
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
12.E.1.4.1
Procedure:
Empire: WinEnum module included enumeration of recently opened files
Detections:
12.E.1.4.2
Procedure:
Empire: WinEnum module included enumeration of interesting files
Detections:
16.K.1
Procedure:
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Detections:
18.A.1
Procedure:
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
2.A.1
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
4.C.1
Procedure:
Enumerated user's temporary directory path using PowerShell
Criteria:
powershell.exe executing $env:TEMP
Detections:
9.B.2
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
11.A.9
Procedure:
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria:
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Detections:
12.A.1
Procedure:
Enumerated the System32 directory using PowerShell
Criteria:
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Detections:
4.A.1
Criteria:
powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs
Detections:
5.B.4
Criteria:
User kmitnick executes ls -lsahR /var/
Detections:
7.C.2
Criteria:
dir lists the contents of C:\Users\Public
Detections:
12.E.1.9.1
Procedure:
Empire: WinEnum module included enumeration of available shares
Detections:
12.E.1.9.2
Procedure:
Empire: WinEnum module included enumeration of mapped network drives
Detections:
13.A.3
Criteria:
cmd.exe executes net view
Detections:
12.E.1.3
Procedure:
Empire: WinEnum module included enumeration of password policy information
Detections:
11.A.5
Procedure:
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Detections:
2.F.2
Procedure:
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Detections:
2.F.3
Procedure:
Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd
Detections:
12.E.1.2
Procedure:
Empire: WinEnum module included enumeration of AD group memberships
Detections:
12.F.1
Procedure:
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
Detections:
4.C.9
Procedure:
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria:
powershell.exe executing the NetUserGetGroups API
Detections:
2.F.1
Procedure:
Cobalt Strike: 'net localgroup administrators' via cmd
Detections:
12.F.2
Procedure:
Empire: 'Net Localgroup Administrators' via PowerShell
Detections:
4.C.11
Procedure:
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria:
powershell.exe executing the NetUserGetLocalGroups API
Detections:
2.C.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
2.C.2
Procedure:
Cobalt Strike: 'tasklist -v' via cmd
Detections:
3.B.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
8.B.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
12.C.1
Procedure:
Empire: 'qprocess *' via PowerShell
Detections:
4.B.1
Procedure:
Enumerated current running processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
4.C.5
Procedure:
Enumerated the current process ID using PowerShell
Criteria:
powershell.exe executing $PID
Detections:
8.A.3
Procedure:
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
11.A.8
Procedure:
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_Process
Detections:
13.D.1
Procedure:
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria:
powershell.exe executing the CreateToolhelp32Snapshot API
Detections:
14.B.2
Procedure:
Enumerated and tracked PowerShell processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
2.A.4
Criteria:
wscript.exe makes a WMI query for Win32_Process
Detections:
5.B.3
Criteria:
User kmitnick executes ps ax
Detections:
13.A.1
Criteria:
Adb156.exe makes a WMI query for Win32_Process
Detections:
15.A.1
Criteria:
powershell.exe calls the CreateToolhelp32Snapshot() API
Detections:
20.B.2
Criteria:
debug.exe calls the CreateToolhelp32Snapshot API
Detections:
2.H.1
Procedure:
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Detections:
6.A.1
Procedure:
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Detections:
12.E.1.7
Procedure:
Empire: WinEnum module included enumeration of system information via a Registry query
Detections:
13.C.1
Procedure:
Empire:'reg query' via PowerShell to enumerate a specific Registry key
Detections:
17.A.1.2
Procedure:
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Detections:
12.C.1
Procedure:
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
12.C.2
Procedure:
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
3.B.4
Criteria:
powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty
Detections:
4.A.1
Procedure:
Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd
Detections:
4.A.2
Procedure:
Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd
Detections:
13.A.1
Procedure:
Empire: 'net group \"Domain Computers\" -domain' via PowerShell
Detections:
8.A.1
Procedure:
Enumerated remote systems using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Detections:
16.A.1
Procedure:
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Detections:
4.A.2
Criteria:
powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4
Detections:
5.B.7
Criteria:
User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)
Detections:
6.A.2
Criteria:
PowerShell executes Get-ADComputer
Detections:
15.A.8
Criteria:
powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)
Detections:
12.E.1.10.1
Procedure:
Empire: WinEnum module included enumeration of AV solutions
Detections:
12.E.1.10.2
Procedure:
Empire: WinEnum module included enumeration of firewall rules
Detections:
4.C.7
Procedure:
Enumerated anti-virus software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Detections:
4.C.8
Procedure:
Enumerated firewall software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Detections:
12.B.1
Procedure:
Enumerated registered AV products using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Detections:
2.E.1
Procedure:
Cobalt Strike: 'systeminfo' via cmd
Detections:
2.E.2
Procedure:
Cobalt Strike: 'net config workstation' via cmd
Detections:
12.E.1.6.1
Procedure:
Empire: WinEnum module included enumeration of system information
Detections:
12.E.1.6.2
Procedure:
Empire: WinEnum module included enumeration of Windows update information
Detections:
4.C.3
Procedure:
Enumerated the computer hostname using PowerShell
Criteria:
powershell.exe executing $env:COMPUTERNAME
Detections:
4.C.6
Procedure:
Enumerated the OS version using PowerShell
Criteria:
powershell.exe executing Gwmi Win32_OperatingSystem
Detections:
11.A.4
Procedure:
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Detections:
13.A.1
Procedure:
Enumerated the computer name using the GetComputerNameEx API
Criteria:
powershell.exe executing the GetComputerNameEx API
Detections:
2.A.2
Criteria:
wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem
Detections:
12.A.5
Criteria:
Adb156.exe makes a WMI query for Win32_LogicalDisk
Detections:
13.A.6
Criteria:
Adb156.exe queries the COMPUTERNAME environment variable
Detections:
13.A.9
Criteria:
Adb156.exe makes a WMI query for Win32_OperatingSystem
Detections:
2.A.1
Procedure:
Cobalt Strike: 'ipconfig -all' via cmd
Detections:
2.A.2
Procedure:
Cobalt Strike: 'arp -a' via cmd
Detections:
4.B.1
Procedure:
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
Detections:
12.A.1
Procedure:
Empire: 'route print' via PowerShell
Detections:
12.A.2
Procedure:
Empire: 'ipconfig -all' via PowerShell
Detections:
12.E.1.11
Procedure:
Empire: WinEnum module included enumeration of network adapters
Detections:
4.C.4
Procedure:
Enumerated the current domain name using PowerShell
Criteria:
powershell.exe executing $env:USERDOMAIN
Detections:
11.A.7
Procedure:
Checked that the computer is joined to a domain using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.B.1
Procedure:
Enumerated the domain name using the NetWkstaGetInfo API
Criteria:
powershell.exe executing the NetWkstaGetInfo API
Detections:
12.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration
Detections:
13.A.8
Criteria:
Adb156.exe makes a WMI query for Win32_ComputerSystem
Detections:
15.A.7
Criteria:
powershell.exe calls the GetIpNetTable() API
Detections:
4.C.1
Procedure:
Cobalt Strike: 'netstat -ano' via cmd
Detections:
12.E.1.12
Procedure:
Empire: WinEnum module included enumeration of established network connections
Detections:
13.B.1
Procedure:
Empire: 'net use' via PowerShell
Detections:
13.B.2
Procedure:
Empire: 'netstat -ano' via PowerShell
Detections:
2.B.1
Procedure:
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
Detections:
12.B.1
Procedure:
Empire: 'whoami -all -fo list' via PowerShell
Detections:
12.E.1.1
Procedure:
Empire: WinEnum module included enumeration of user information
Detections:
20.B.1
Procedure:
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
Detections:
4.C.2
Procedure:
Enumerated the current username using PowerShell
Criteria:
powershell.exe executing $env:USERNAME
Detections:
11.A.6
Procedure:
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.C.1
Procedure:
Enumerated the current username using the GetUserNameEx API
Criteria:
powershell.exe executing the GetUserNameEx API
Detections:
15.A.1
Procedure:
Enumerated logged on users using PowerShell
Criteria:
powershell.exe executing $env:UserName
Detections:
16.B.1
Procedure:
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria:
powershell.exe executing the ConvertSidToStringSid API
Detections:
7.B.1
Criteria:
powershell.exe executes qwinsta /server:cfo
Detections:
13.A.5
Criteria:
Adb156.exe queries the USERNAME environment variable
Detections:
2.D.1
Procedure:
Cobalt Strike: 'sc query' via cmd
Detections:
2.D.2
Procedure:
Cobalt Strike: 'net start' via cmd
Detections:
12.D.1
Procedure:
Empire: 'net start' via PowerShell
Detections:
12.E.1.8
Procedure:
Empire: WinEnum module included enumeration of services
Detections:
16.H.1
Procedure:
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
Detections:
16.J.1
Procedure:
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
Detections:
17.A.1.1
Procedure:
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
16.F.1
Procedure:
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Detections:
1.A.9
Criteria:
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
Detections:
12.A.2
Criteria:
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
Detections:
12.E.1
Procedure:
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Detections:
15.A.1.1
Procedure:
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Detections:
1.B.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from cmd.exe
Detections:
4.A.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from powershell.exe
Detections:
9.B.1
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from python.exe
Detections:
11.A.12
Procedure:
Executed PowerShell stager payload
Criteria:
powershell.exe spawning from from the schemas ADS (powershell.exe)
Detections:
20.A.3
Procedure:
Executed PowerShell payload from WMI event subscription persistence
Criteria:
SYSTEM-level powershell.exe spawned from the powershell.exe
Detections:
2.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
3.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
4.B.3
Criteria:
powershell.exe executes rad353F7.ps1
Detections:
6.A.1
Criteria:
tiny.exe loads system.management.automation.dll
Detections:
13.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.2
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.4
Criteria:
powershell.exe executes the decoded payload using Invoke-Expression (IEX)
Detections:
15.A.4
Criteria:
powershell.exe spawns powershell.exe
Detections:
19.B.1
Criteria:
powershell.exe spawns powershell.exe
Detections:
11.A.1
Procedure:
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Detections:
1.A.3
Criteria:
wscript.exe executes unprotected.vbe
Detections:
1.A.7
Criteria:
wscript.exe executes starter.vbs
Detections:
8.A.1
Criteria:
wscript.exe spawns Java-Update.exe
Detections:
11.A.4
Criteria:
mshta.exe executes an embedded VBScript payload
Detections:
1.A.1.3
Procedure:
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Detections:
1.B.1
Procedure:
Spawned interactive cmd.exe
Criteria:
cmd.exe spawning from the rcs.3aka3.doc process
Detections:
1.A.8
Criteria:
wscript.exe spawns cmd.exe
Detections:
2.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.A.1
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
4.B.6
Criteria:
cmd.exe spawns smrs.exe
Detections:
5.A.6
Criteria:
powershell.exe spawns cmd.exe
Detections:
5.C.5
Criteria:
cmd.exe spawns tiny.exe
Detections:
7.A.2
Criteria:
tiny.exe spawns cmd.exe
Detections:
13.A.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
13.B.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
14.A.1
Criteria:
Adb156.exe spawns cmd.exe
Detections:
16.A.3
Criteria:
powershell.exe spawns cmd.exe
Detections:
17.A.3
Criteria:
svchost.exe spawns cmd.exe
Detections:
7.A.1.2
Procedure:
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Detections:
1.A.2
Criteria:
winword.exe loads VBE7.DLL
Detections:
11.A.7
Criteria:
winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL
Detections:
4.C.10
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Detections:
4.C.12
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Detections:
10.B.2
Procedure:
Executed PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe executing the CreateProcessWithToken API
Detections:
16.B.2
Procedure:
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria:
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Detections:
3.B.6
Criteria:
powershell.exe executes the shellcode from the Registry by calling the CreateThread() API
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
16.L.1
Procedure:
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Detections:
8.C.3
Procedure:
Executed python.exe using PSExec
Criteria:
python.exe spawned by PSEXESVC.exe
Detections:
10.A.1
Procedure:
Executed persistent service (javamtsup) on system startup
Criteria:
javamtsup.exe spawning from services.exe
Detections:
5.C.3
Criteria:
cmd.exe spawns from a service executable in C:\Windows\
Detections:
16.A.6
Criteria:
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
Detections:
1.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 1-list.rtf
Detections:
11.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 2-list.rtf
Detections:
1.A.1.1
Procedure:
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
Detections:
1.A.1
Procedure:
User Pam executed payload rcs.3aka3.doc
Criteria:
The rcs.3aka3.doc process spawning from explorer.exe
Detections:
11.A.1
Procedure:
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
Criteria:
powershell.exe spawning from explorer.exe
Detections:
14.B.1
Procedure:
Created and executed a WMI class using PowerShell
Criteria:
WMI Process (WmiPrvSE.exe) executing powershell.exe
Detections:
19.C.1
Procedure:
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Detections:
7.B.4
Procedure:
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria:
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Detections:
9.B.1.2
Procedure:
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Detections:
2.B.1
Procedure:
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria:
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Detections:
9.B.8
Procedure:
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria:
python.exe reading the file working.zip while connected to the C2 channel
Detections:
2.B.5
Criteria:
wscript.exe reads and uploads screenshot__.png to 192.168.0.4
Detections:
13.B.5
Criteria:
Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions
Detections:
20.B.5
Criteria:
rundll32.exe reads and uploads log.7z to 192.168.0.4
Detections:
18.A.2
Procedure:
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria:
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
16.G.1
Procedure:
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Detections:
16.D.1
Procedure:
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria:
File write of m.exe by the WinRM process (wsmprovhost.exe)
Detections:
5.A.9
Criteria:
Pscp.exe copies psexec.py to 10.0.0.7
Detections:
5.A.10
Criteria:
Pscp.exe copies runtime to 10.0.0.7
Detections:
5.A.11
Criteria:
Pscp.exe copies tiny.exe to 10.0.0.7
Detections:
5.C.4
Criteria:
tiny.exe is created on 10.0.0.4
Detections:
6.C.1
Procedure:
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Detections:
10.B.1.2
Procedure:
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Detections:
20.A.1.2
Procedure:
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
Detections:
7.A.5
Criteria:
RDP session from the localhost over TCP port 3389
Detections:
7.B.3
Criteria:
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
Detections:
19.A.2
Criteria:
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
Detections:
16.A.1.2
Procedure:
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Detections:
16.B.1.2
Procedure:
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
Detections:
16.D.1.1
Procedure:
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Detections:
8.C.2
Procedure:
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria:
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Detections:
5.C.2
Criteria:
psexec.py connects to SMB shares on 10.0.0.4
Detections:
16.A.5
Criteria:
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
Detections:
5.A.7
Criteria:
Pscp.exe connects over SCP (port 22) to 10.0.0.7
Detections:
5.B.1
Criteria:
plink.exe connects over SSH (port 22) to 10.0.0.7
Detections:
8.A.2
Procedure:
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
16.C.1
Procedure:
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Criteria:
Network connection to NewYork (10.0.0.4) over port 5985
Detections:
20.B.2
Procedure:
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
1.B.1
Procedure:
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Detections:
10.A.1
Procedure:
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
7.A.1.1
Procedure:
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Detections:
20.B.3
Procedure:
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
Criteria:
net.exe adding the user Toby
Detections:
16.I.1.1
Procedure:
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
17.C.1
Procedure:
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Detections:
20.A.1.1
Procedure:
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
3.A.1.1
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Detections:
14.A.1.1
Procedure:
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
3.A.1.2
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Detections:
5.B.1
Procedure:
Cobalt Strike: Built-in token theft capability executed to change user context to George
Detections:
1.B.1
Procedure:
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Detections:
10.A.1
Procedure:
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
16.I.1.1
Procedure:
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
17.C.1
Procedure:
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Detections:
20.A.1.1
Procedure:
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
3.C.1
Procedure:
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Detections:
5.A.1.2
Procedure:
Cobalt Strike: Credential dump capability involved process injection into lsass
Detections:
5.A.2.2
Procedure:
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Detections:
8.D.1.2
Procedure:
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections: