Home >
Enterprise >
Participants >
ReaQta >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Spawned interactive powershell.exe
Criteria
powershell.exe spawning from cmd.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Procedure
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria
Established network channel over port 443
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Deleted rcs.3aka3.doc on disk using SDelete
Criteria
sdelete64.exe deleting the file rcs.3aka3.doc
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted Draft.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file draft.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria
sdelete64.exe deleting the file SysinternalsSuite.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


[3]


Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


[3]


Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- Vendor stated that more information for this behavior would be available using their NanoOS capability, which did not run under the evaluation's Hyper-Visor.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Encrypted data from the user's Downloads directory using PowerShell
Criteria
powershell.exe executing Compress-7Zip with the password argument used for encryption
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria
The file python.exe created on Scranton (10.0.1.4)
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria
powershell.exe executing rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Deleted rar.exe on disk using SDelete
Criteria
sdelete64.exe deleting the file rar.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from Desktop) on disk using SDelete
Criteria
sdelete64.exe deleting the file \Desktop\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Executed an alternate data stream (ADS) using PowerShell
Criteria
powershell.exe executing the schemas ADS via Get-Content and IEX
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_Process
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Decoded an embedded DLL payload to disk using certutil.exe
Criteria
certutil.exe decoding kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established Registry Run key persistence using PowerShell
Criteria
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria
Established network channel over port 443
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria
powershell.exe downloading and/or the file write of m.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance
Procedure
Established WMI event subscription persistence using PowerShell
Criteria
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Established WMI event subscription persistence using PowerShell
Criteria
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Established WMI event subscription persistence using PowerShell
Criteria
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria
powershell.exe executing the ConvertSidToStringSid API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria
File write of m.exe by the WinRM process (wsmprovhost.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Procedure
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
Criteria
net.exe adding the user Toby
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure
Data Sources
- Authentication Logs
Criteria
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll