Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Scripting (DLL)" was generated when winword.exe loaded the VBE7.DLL.
[1]
|
|
|
|
|
|
|
A General detection named "Spear-phishing Attachment (Suspicious Process from Office)" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Deobfuscate/Decode Files or Information (WSH Access or Runs Suspicious File)" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Tactic detection named "Dynamic Data Exchange" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Technique detection named "Scripting" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
A Technique detection named "Scripting" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface (Office Parent)" was generated when wscript.exe spawned cmd.exe from a process tree that included winword.exe.
[1]
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land (LOLBAS)" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Scripting (Process)" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe spawned cmd.exe.
[1]
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell (Process)" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Screen Capture (PowerShell CopyFromScreen)" was generated when powershell.exe executed CopyFromScreen().
[1]
[2]
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when wscript.exe spawns cmd.exe.
[1]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry (Startup and RunOnce)" was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
|
|
A Technique detection named "Modify Registry (reg.exe)" was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
[2]
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy (WSH Created Suspicious File)" was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when wscript.exe spawned cmd.exe.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell (Process)" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
General
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A General detection named "Data from Local System (File reads)" was generated when powershell.exe read various files via the FindFirstFileW() and FindNextFileW() APIs.
[1]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Technique
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A Technique detection named "Remote System Discovery (PowerShell)" was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
[2]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Brute Force (PowerShell)" was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell (Process)" was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
|
A Technique detection named "Modify Registry" was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when cmd.exe executed smrs.exe.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Credential Dumping (Lsass memory read)" was generated when smrs.exe opened and read lsass.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
A General detection named "Scripting (Script File Modified)" was generated when powershell.exe downloaded psexec.py from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when powershell.exe spawned cmd.exe.
[1]
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
|
|
|
|
|
|
A General detection named "New Service (event log)" was generated when a new service was created to execute cmd.exe.
[1]
|
|
|
|
A General detection named "New Service" was generated when a new service was created to execute cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell (Hosted)" was generated when tiny.exe loaded system.management.automation.dll.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote System Discovery (PowerShell)" was generated when PowerShell executed Get-ADComputer.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Account Discovery (PowerShell)" was generated when PowerShell executed Get-NetUser.
[1]
[2]
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Command-Line Interface (Process)" was generated when tiny.exe spawned cmd.exe.
[1]
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Scripting (Process)" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "System Owner/User Discovery" was generated when powershell.exe executed qwinsta /server:cfo.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Desktop Protocol (Process)" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
|
A Technique detection named "Remote File Copy (SCP Usage)" was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
|
A Technique detection named "Registry Run Keys/Startup Folder" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry (Startup and RunOnce)" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
A General detection named "Modify Registry (reg.exe)" was generated when reg.exe was executed to add the Java-Update subkey to HKLM\Software\Microsoft\Windows\CurrentVersion.
[1]
|
|
|
|
A General detection named "Modify Registry" was generated when the Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion.
[1]
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Living Off The Land Binaries (LOLBAS)" was generated when Java-Update.exe spawned from wscript.exe.
[1]
|
|
A Technique detection named "Scripting" was generated when Java-Update.exe spawned from wscript.exe.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Process Injection (Remote Thread)" was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
Technique
(Configuration Change (Data Sources), Configuration Change (Detection Logic))
|
A Technique detection named "Data from Local System (File Reads)" was generated when explorer.exe read Klog2.txt.
[1]
|
|
|
|
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Credential Access (DLL)" was generated when infosMin48.exe loaded a DLL associated with credential access.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "File Deletion" was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Disabling Security Tools (Netsh Running from CMD or PowerShell)" was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
|
|
|
|
|
|
|
|
|
A General detection named "Modify Registry" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
A Technique detection named "Registry Run Keys/Startup Folder" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
A Technique detection named "Modify Registry" was generated when subkeys added to HKLM\Software\TightVNC\Server via vnc-settings.reg.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry (Startup and Runonce)" was generated when Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
A General detection named "Registry Run Keys/Startup Folder" was generated when Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
A Technique detection named "Modify Registry (reg.exe)" was generated when reg.exe was spawned to delete the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
|
|
|
|
A General detection named "Modify Registry" was generated when Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Access Tools (TightVNC Server)" was generated when tvnserver.exe began listening for connections .
[1]
|
|