Home >
Enterprise >
Participants >
CyCraft >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe creating the file draft.zip
Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Procedure
Dropped stage 2 payload (monkey.png) to disk
Criteria
The rcs.3aka3.doc process creating the file monkey.png
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria
powershell.exe creating the file SysinternalsSuite.zip
Procedure
Enumerated user's temporary directory path using PowerShell
Criteria
powershell.exe executing $env:TEMP
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current username using PowerShell
Criteria
powershell.exe executing $env:USERNAME
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the computer hostname using PowerShell
Criteria
powershell.exe executing $env:COMPUTERNAME
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current domain name using PowerShell
Criteria
powershell.exe executing $env:USERDOMAIN
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the current process ID using PowerShell
Criteria
powershell.exe executing $PID
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


Procedure
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria
powershell.exe creating the file hostui.lnk in the Startup folder
Footnotes
- MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity.


[2]


Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Exported a local certificate to a PFX file using PowerShell
Criteria
powershell.exe creating a certificate file exported from the system
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Procedure
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Procedure
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file rar.exe
Procedure
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria
python.exe creating the file sdelete64.exe
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria
powershell.exe creating the file working.zip
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Staged collected file into directory using PowerShell
Criteria
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring

