Home >
Enterprise >
Participants >
GoSecure >
Execution (TA0002)
|
|
Carbanak+FIN7 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
Technique User Execution (T1204) |
|
||||||
1.A.2
|
|
|||||||
1.A.3
|
|
|||||||
1.A.7
|
|
|||||||
1.A.8
|
|
|||||||
1.A.9
|
|
|||||||
2.B.2
|
|
|||||||
2.B.3
|
|
|||||||
3.A.1
|
|
|||||||
3.B.2
|
|
|||||||
3.B.3
|
|
|||||||
3.B.6
|
Technique Native API (T1106) |
|
||||||
4.B.3
|
|
|||||||
4.B.6
|
|
|||||||
5.A.6
|
|
|||||||
5.C.3
|
|
|||||||
5.C.5
|
|
|||||||
6.A.1
|
|
|||||||
7.A.2
|
|
|||||||
8.A.1
|
|
|||||||
11.A.1
|
Technique User Execution (T1204) |
|
||||||
11.A.3
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Mshta (T1218.005) |
|
||||||
11.A.4
|
|
|||||||
11.A.7
|
|
|||||||
11.A.8
|
|
|||||||
12.A.1
|
|
|||||||
12.A.2
|
|
|||||||
13.A.2
|
|
|||||||
13.B.2
|
|
|||||||
13.B.3
|
|
|||||||
14.A.1
|
|
|||||||
14.A.2
|
|
|||||||
14.A.4
|
|
|||||||
15.A.4
|
|
|||||||
16.A.3
|
|
|||||||
16.A.6
|
|
|||||||
17.A.3
|
|
|||||||
19.B.1
|
|
Criteria
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Data Sources
- Process Monitoring
- DLL Monitoring
Footnotes
- Image removed due to proprietary information. MITRE confirmed detection
APT29 |
||||||||
Step | ATT&CK Pattern |
|
||||||
1.A.1
|
|
|||||||
1.B.1
|
|
|||||||
1.B.2
|
|
|||||||
4.A.2
|
|
|||||||
4.C.10
|
Technique Native API (T1106) |
|
||||||
4.C.12
|
Technique Native API (T1106) |
|
||||||
8.C.3
|
|
|||||||
9.B.1
|
|
|||||||
10.A.1
|
|
|||||||
10.B.2
|
Technique Native API (T1106) |
|
||||||
11.A.1
|
|
|||||||
11.A.12
|
|
|||||||
14.B.1
|
|
|||||||
16.B.2
|
Technique Native API (T1106) |
|
||||||
20.A.1
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||||
20.A.3
|
|
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
APT3 |
||||||
Step | ATT&CK Pattern |
|
||||
1.A.1.1
|
|
|||||
1.A.1.2
|
Technique Signed Binary Proxy Execution (T1218) Subtechnique Signed Binary Proxy Execution: Rundll32 (T1218.011) |
|
||||
1.A.1.3
|
|
|||||
3.C.1
|
Technique Process Injection (T1055) |
|
||||
5.A.1.2
|
Technique Process Injection (T1055) |
|
||||
5.A.2.2
|
Technique Process Injection (T1055) |
|
||||
7.A.1.2
|
Technique Graphical User Interface (T1061) |
|
||||
7.C.1
|
|
|||||
8.D.1.2
|
Technique Process Injection (T1055) |
|
||||
10.A.2
|
|
|||||
11.A.1
|
|
|||||
12.E.1
|
|
|||||
16.F.1
|
|
|||||
16.L.1
|
|
Procedure
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Footnotes
- The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten \"Capabilities\" that are part of the taxonomy.


Procedure
Cobalt Strike: Credential dump capability involved process injection into lsass
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Footnotes
- According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as \"traits\"), which may give an analyst clues on what the process does.


[2]


[3]


Procedure
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Footnotes
- For this alert, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.


Procedure
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


Procedure
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


Procedure
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]


[3]


Procedure
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Footnotes
- Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.


[2]

