Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
An MSSP detection occurred containing evidence of the user Pam executing the malicious document rcs.3aka3.doc file.
[1]
|
|
Telemetry showed explorer.exe executing rcs.3aka3.doc.
[1]
|
|
A General alert detection (medium severity) was generated for rcs.3aka3.doc being tagged as malware.
[1]
|
|
|
|
|
An MSSP detection for Masquerading "(T1036)" occurred containing evidence of of the RLO character to obfuscate payload file name.
[1]
|
|
A Technique alert detection (low severity) was generated for rcs.3aka3.doc, identified as a screensaver process, executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection for an Uncommonly used port "(T1065)" occurred containing evidence of rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
|
|
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
|
|
|
|
|
A Technique alert detection was generated for a command line interface spawned from a process identified as malware with an active network connection.
[1]
[2]
|
|
An MSSP detection for Command Line Interfaces "(T1059)" occurred containing evidence of cmd.exe spawning from rcs.3aka3.doc.
[1]
|
|
Telemetry showed rcs.3aka3.doc spawning from cmd.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection for Powershell "(T1086)" occurred containing evidence of powershell.exe spawning from cmd.exe.
[1]
|
|
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection was generated for PowerShell executing suspicious File and Directory Discovery commands. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection for File and Directory Discovery "(T1083)" occurred containing evidence that a discovery script was using get-childitem to search the filesystem to specific file patterns.
[1]
|
|
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Automated Collection "(T1119)" occurred containing evidence that a discovery script was using Get-Childitem to search the filesystem to specific file patterns.
[1]
|
|
|
|
|
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Data From Local System "(T1005)" occurred containing evidence that a discovery script was executed file read operations on local folder C:\Users\Pam.
[1]
|
|
|
|
|
Telemetry showed powershell.exe compressing via Compress-Archive. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Data Compressed "(T1002)" occurred containing evidence that the files "C:\Users\pam\Links\Downloads.lnk, C:\Users\pam\Links\Desktop.lnk, C:\Users\pam\Favorites\Bing.url, and C:\Users\pam\Desktop\Microsoft Edge.lnk" were compressed into a zip file draft.zip.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious folder" was generated due identifying Draft.zip as compressed. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection for Data Staged "(T1074)" occurred containing evidence that there was a compressed zip file created named Draft.zip.
[1]
|
|
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection for Exfiltration Over Command and Control Channel "(T1041)" occurred containing evidence that "After the zip file is created, it's read by cod.3aka3.scr... [and] the timeline view shows a C2 connection from nashua to 192.168.0.5, in which cod.3aka3.scr sent 319,936 Bytes."
[1]
|
|
|
|
|
Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Remote File Copy "(T1105)" occurred containing evidence that cod.3aka3.scr has downloaded and wrote a file named monkey.png to C:\Users\pam\Downloads.
[1]
|
|
|
|
|
An MSSP detection for "Obfuscated Files or Information" occurred containing evidence of the PowerShell script contained within monkey.png.
[1]
|
|
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
General
(Correlated, Alert)
|
A General alert detection was generated identifying the Registry modification as a malware behavior threat. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of addition of DelegateExecute subkey.
[1]
[2]
|
|
Telemetry showed the addition of the DelegateExecute Registry Value. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection for "UAC bypass (T1088)" occurred for a new high hntegrity PowerShell callback spawning from control.exe.
[1]
|
|
A Technique alert detection (red indicator) was generated for for "Bypass User Account Control VIA registry hijack T1088" for control.exe creating a high integrity powershell.exe.
[1]
[2]
|
|
Telemetry showed control.exe creating a high integrity powershell.exe.
|
|
|
|
|
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP port 443. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection for Commonly Used Port was generated containing evidence monkey.png performed C&C over port 443 to IP address 192.168.0.5.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Modify Registry "(T1070)" occurred for the Deletion of the registry value.
[1]
|
|
|
|
General
(Correlated, Alert)
|
A General alert detection was generated for the creation of a file identified as compressed. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection for Remote File Copy "(T1105)" was received. The alert stated the privileged Powershell.exe created a zip file named SysInternalsSuite.zip in the Downloads folder.
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of a new interactive session of PowerShell being created.
[1]
[2]
|
|
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and the corresponding file writes. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive.
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of powershell.exe executing Get-Process.
[1]
|
|
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting ?cod.3aka.scr.
[1]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.zip.
[1]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing $env:TEMP. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing $env:USERNAME. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing $env:USERDOMAIN. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing $PID. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions.
[1]
|
|
|
|
|
A Technique alert detection (high severity) was generated for PowerShell performing suspicious Security Software Discovery.
[1]
[2]
|
|
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions.
[1]
|
|
Telemetry showed powershell.exe executing Get-WmiObject... -Class AntiVirusProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions.
[1]
|
|
Telemetry showed powershell.exe executing Get-WmiObject... -Class FireWallProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing the NetUserGetGroups API. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
A MSSP detection occurred for powershell.exe executing the NetUserGetGroups API.
[1]
|
|
|
|
|
Telemetry showed the NetUserGetGroups API function loaded into PowerShell from Netapi32.dll. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing the NetUserGetLocalGroups API. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed Netapi32.dll loaded into powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
|
|
|
Telemetry showed PowerShell created the new service javamtsup. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
[3]
[4]
[5]
|
|
|
|
|
An MSSP detection occurred for the creation of the hostui.lnk file in the Startup folder.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "registry run key or file in start up folder created - T1060" was generated due to powershell.exe creating the hostui.lnk file. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
[2]
|
|
Telemetry showed a file create event for hostui.lnk in the Startup folder. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection occurred for accesschk.exe reading the Chrome database file for credentials.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for "Browser login data access by non-browser process" was generated when accesschk.exe accessed the Chrome database file for credentials. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
An MSSP detection occurred indicating that accesschk.exe is not the legitimate Sysinternals tool.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Windows process masquerading by an unsigned process" was generated when accesschk.exe was identified as an unsigned executable and the hash did not match the valid accesschk.exe hash. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection was generated for the creation of the $RandomFileName.pfx file.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "New certificate file has been created" was generated for the file creation event of the lotu40lg.b0j.pfx file. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection for "Mimikatz" was received that described PowerShell dumping credentials from LSASS process memory.
[1]
[2]
|
Technique
(Delayed (Processing), Alert)
|
A Technique alert detection (red indicator) called "Credentials in Registry" was generated due to a group owner child process querying the User SAM registry keys. Detection incurred a delay based on additional data processing to generate the behavioral threat.
[1]
[2]
|
|
|
|
|
An MSSP detection occurred containing evidence of powershell.exe executing performing a Screen Capture.
[1]
|
|
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll.
|
|
A Technique alert detection called "Screen Capture - T1056" was generated for powershell.exe making the GdiBitBlt API call.
[1]
[2]
|
|
|
|
|
An MSSP detection occurred containing evidence of PowerShell capturing clipboard data.
[1]
|
|
Telemetry showed powershell.exe executing Get-Clipboard.
|
|
A Technique alert detection called "clipboard data accessed" was generated due to the use of getclipboarddata API.
[1]
[2]
|
|
|
|
|
An MSSP detection occurred containing evidence of key logging.
[1]
|
|
A Technique alert detection called "Input Capture" was generated due to powershell.exe making the GetAsyncKeyState API call.
[1]
[2]
|
|
Telemetry showed PowerShell calling the GetAsyncKeyState API.
|
|
|
|
|
An MSSP detection occurred containing evidence of powershell.exe accessing files from C:\Users\pam\Downloads.
[1]
|
|
Telemetry showed Powershell.exe reading files from C:\Users\pam\Downloads. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of the file create of OfficeSupplies.7z.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious location" was generated for the file creation event of a .7z file in %APPDATA%. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed PowerShell creating OfficeSupplies.7z on a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection occurred containing evidence of OfficeSupplies.7z being copied over the network via WebDav to 192.168.0.4.
[1]
|
General
(Correlated, Alert)
|
A General alert detection (red indicator) called "File being written to remote path" was generated for the file OfficeSupplies.7z being written a WebDav share at 192.168.0.4. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over port 389. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
An MSSP detection occurred for the WinRM connection to remote host Scranton (10.0.1.4) over port 5985.
[1]
|
|
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from a temporary folder.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-Process.
[1]
|
|
An MSSP detection occurred for powershell.exe executing Get-Process.
[1]
|
|
A Technique alert detection (red indicator) called "Process Discovery with PowerShell" was generated due to powershell.exe executing Get-Process.
[1]
[2]
[3]
|
|
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) called "Executable copied to remote host via $ share" was generated for python.exe being copied from Nashua to Scranton. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
An MSSP detection contained evidence of remote file copy of python.exe to Scranton (10.0.1.4).
[1]
|
|
A Technique alert detection (red indicator) called "Remote File Copy" was generated for python.exe being copied Scranton (10.0.1.4).
[1]
|
|
Telemetry showed the file create event of python.exe.
|
|
|
|
|
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload.
[1]
|
|
A Technique alert detection (red indicator) for "Software Packing - T1045" was generated for the file creation event for python.exe.
[1]
[2]
[3]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
An MSSP detection occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445.
[1]
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection was generated for an executable being copied to a remote host via a share. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
A Technique alert detection for network share access was generated due to remote access to a Windows admin share.
[1]
[2]
|
|
|
|
|
An MSSP detection occurred containing evidence of python.exe being spawned by PSEXESVC.exe.
[1]
|
|
A Technique alert detection called "Service Execution Start service T1050" was generated due to psexec.exe spawning python.exe.
[1]
|
|
A General alert detection (low severity) was generated due to an unsigned process running from a temporary directory.
[1]
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe and originated from a RPC call originating on the remote host Nashua (10.0.1.6).
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection was generated for PSEXESVC.exe being copied to a remote host. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) for "Lateral Movement" was generated due to PSEXE64.exe execution with plain-text credentials from Nashua as the user Pam. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder.
[1]
|
|
|
|
|
Telemetry showed a file write event for python.exe creating rar.exe from a named pipe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
[2]
|
General
(Alert, Correlated)
|
A General alert detection (red indicator) was generated for python.exe writing rar.exe to C:\Windows\Temp. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection occurred for python.exe creating rar.exe.
[1]
|
|
|
|
|
Telemetry showed File Write/Create events for python.exe creating sdelete64.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
A MSSP detection occurred for python.exe creating sdelete64.exe.
[1]
|
|
|
|
|
Telemetry showed python.exe executing powershell.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of python spawning powershell.exe.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
A MSSP detection occurred for PowerShell looking for certain files in a directory.
[1]
|
|
|
|
|
An MSSP detection for Automated Collection "(T1119)" occurred containing evidence that a discovery script was using get-childitem to search the filesystem to specific file patterns.
[1]
|
|
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
|
|
|
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
A MSSP detection occurred for powershell.exe reading files in C:\Users\Pam.
[1]
|
|
|
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "Collection" was generated due to working.zip file creation in %APPDATA%\roaming folder. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the creation of working.zip.
[1]
|
|
Telemetry showed the file create of working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to encrypt working.zip.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection (red indicator) for "Scripting engine creates compressed file under suspicious folder" was generated when rar.exe was used to create an compressed zip archive in %APPDATA%. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of execution of rar.exe with command line arguments to compress working.zip.
[1]
|
|
|
|
|
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over port 8443). The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
[2]
|
|
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of Rar.exe by SDelete64.exe.
[1]
|
|
|
|
|
A Technique alert detection called "file deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip.
[1]
|
|
Telemetry showed file delete event for sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of Desktop\working.zip by SDelete64.exe.
[1]
|
|
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of roaming\working.zip by SDelete64.exe.
[1]
|
|
|
|
|
Telemetry showed cmd.exe deleting sdelete64.exe and file deletion event. The detection was correlated to a parent alert for an unsigned process running from a temporary directory.
[1]
|
|
An MSSP detection contained evidence of the deletion of SDelete64.exe.
[1]
|
|
A Technique alert detection called "file deletion T1107" was generated when cmd.exe deleted sdelete.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
An MSSP detection occurred for hostui.lnk executing from Startup Folder.
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of powershell.exe executing with the explorer.exe token via the CreateProcessWithToken API.
[1]
|
|
|
|
|
A Technique alert detection (red indicator) for "Access Token Manipulation" was generated for thread impersonation.
[1]
[2]
[3]
|
|
An MSSP detection occurred containing evidence of powershell.exe executing with the explorer.exe token via the CreateProcessWithToken API.
[1]
|
|