19.B.1.1
Procedure:
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Detections:
19.B.1.2
Procedure:
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Detections:
12.E.1.5
Procedure:
Empire: WinEnum module included enumeration of clipboard contents
Detections:
18.B.1.1
Procedure:
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Detections:
9.B.1.1
Procedure:
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
18.B.1.2
Procedure:
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
8.C.1.1
Procedure:
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Detections:
8.D.1.1
Procedure:
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Detections:
1.C.1.2
Procedure:
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Detections:
6.B.1.2
Procedure:
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Detections:
11.B.1.2
Procedure:
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Detections:
14.A.1.3
Procedure:
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Detections:
1.C.1.1
Procedure:
Cobalt Strike: C2 channel established using port 53
Detections:
6.B.1.1
Procedure:
Cobalt Strike: C2 channel modified to use port 80
Detections:
11.B.1.1
Procedure:
Empire: C2 channel established using port 443
Detections:
14.A.1.4
Procedure:
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Detections:
1.C.1.3
Procedure:
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Detections:
11.B.1.3
Procedure:
Empire: Encrypted C2 channel established using HTTPS
Detections:
7.B.1
Procedure:
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Detections:
14.A.1.2
Procedure:
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Detections:
16.E.1
Procedure:
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Detections:
19.A.1.2
Procedure:
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Detections:
6.B.1.3
Procedure:
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Detections:
16.A.1.1
Procedure:
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda
Detections:
16.B.1.3
Procedure:
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Detections:
8.C.1.1
Procedure:
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Detections:
5.A.1.1
Procedure:
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Detections:
5.A.2.1
Procedure:
Cobalt Strike: Built-in hash dump capability executed
Detections:
15.B.1
Procedure:
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
3.A.1.1
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Detections:
14.A.1.1
Procedure:
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Detections:
3.A.1.2
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Detections:
5.B.1
Procedure:
Cobalt Strike: Built-in token theft capability executed to change user context to George
Detections:
17.B.1
Procedure:
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
Detections:
17.B.2
Procedure:
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
Detections:
19.D.1
Procedure:
Empire: 'del C:\\"$\"Recycle.bin\old.rar'
Detections:
19.D.2
Procedure:
Empire: 'del recycler.exe'
Detections:
16.C.1
Procedure:
Empire: 'net use -delete' via PowerShell
Detections:
19.A.1.1
Procedure:
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Detections:
19.B.1.3
Procedure:
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Detections:
16.I.1.2
Procedure:
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Detections:
3.C.1
Procedure:
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Detections:
5.A.1.2
Procedure:
Cobalt Strike: Credential dump capability involved process injection into lsass
Detections:
5.A.2.2
Procedure:
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Detections:
8.D.1.2
Procedure:
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Detections:
1.A.1.2
Procedure:
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
2.G.1
Procedure:
Cobalt Strike: 'net user -domain' via cmd
Detections:
2.G.2
Procedure:
Cobalt Strike: 'net user george -domain' via cmd
Detections:
12.G.2
Procedure:
Empire: 'net user -domain' via PowerShell
Detections:
7.A.1.3
Procedure:
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Detections:
12.G.1
Procedure:
Empire: 'net user' via PowerShell
Detections:
8.C.1.2
Procedure:
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Detections:
15.A.1.2
Procedure:
Empire: Built-in keylogging module included residual enumeration of application windows
Detections:
8.A.1
Procedure:
Cobalt Strike: 'dir -s -b \"\\conficker\wormshare\"' via cmd
Detections:
8.A.2
Procedure:
Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd
Detections:
9.A.1
Procedure:
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
12.E.1.4.1
Procedure:
Empire: WinEnum module included enumeration of recently opened files
Detections:
12.E.1.4.2
Procedure:
Empire: WinEnum module included enumeration of interesting files
Detections:
16.K.1
Procedure:
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Detections:
18.A.1
Procedure:
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Detections:
12.E.1.9.1
Procedure:
Empire: WinEnum module included enumeration of available shares
Detections:
12.E.1.9.2
Procedure:
Empire: WinEnum module included enumeration of mapped network drives
Detections:
12.E.1.3
Procedure:
Empire: WinEnum module included enumeration of password policy information
Detections:
2.F.2
Procedure:
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Detections:
2.F.3
Procedure:
Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd
Detections:
12.E.1.2
Procedure:
Empire: WinEnum module included enumeration of AD group memberships
Detections:
12.F.1
Procedure:
Empire: 'net group \"Domain Admins\" -domain' via PowerShell
Detections:
2.F.1
Procedure:
Cobalt Strike: 'net localgroup administrators' via cmd
Detections:
12.F.2
Procedure:
Empire: 'Net Localgroup Administrators' via PowerShell
Detections:
2.C.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
2.C.2
Procedure:
Cobalt Strike: 'tasklist -v' via cmd
Detections:
3.B.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
8.B.1
Procedure:
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Detections:
12.C.1
Procedure:
Empire: 'qprocess *' via PowerShell
Detections:
2.H.1
Procedure:
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Detections:
6.A.1
Procedure:
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Detections:
12.E.1.7
Procedure:
Empire: WinEnum module included enumeration of system information via a Registry query
Detections:
13.C.1
Procedure:
Empire:'reg query' via PowerShell to enumerate a specific Registry key
Detections:
17.A.1.2
Procedure:
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Detections:
4.A.1
Procedure:
Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd
Detections:
4.A.2
Procedure:
Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd
Detections:
13.A.1
Procedure:
Empire: 'net group \"Domain Computers\" -domain' via PowerShell
Detections:
12.E.1.10.1
Procedure:
Empire: WinEnum module included enumeration of AV solutions
Detections:
12.E.1.10.2
Procedure:
Empire: WinEnum module included enumeration of firewall rules
Detections:
2.E.1
Procedure:
Cobalt Strike: 'systeminfo' via cmd
Detections:
2.E.2
Procedure:
Cobalt Strike: 'net config workstation' via cmd
Detections:
12.E.1.6.1
Procedure:
Empire: WinEnum module included enumeration of system information
Detections:
12.E.1.6.2
Procedure:
Empire: WinEnum module included enumeration of Windows update information
Detections:
2.A.1
Procedure:
Cobalt Strike: 'ipconfig -all' via cmd
Detections:
2.A.2
Procedure:
Cobalt Strike: 'arp -a' via cmd
Detections:
4.B.1
Procedure:
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
Detections:
12.A.1
Procedure:
Empire: 'route print' via PowerShell
Detections:
12.A.2
Procedure:
Empire: 'ipconfig -all' via PowerShell
Detections:
12.E.1.11
Procedure:
Empire: WinEnum module included enumeration of network adapters
Detections:
4.C.1
Procedure:
Cobalt Strike: 'netstat -ano' via cmd
Detections:
12.E.1.12
Procedure:
Empire: WinEnum module included enumeration of established network connections
Detections:
13.B.1
Procedure:
Empire: 'net use' via PowerShell
Detections:
13.B.2
Procedure:
Empire: 'netstat -ano' via PowerShell
Detections:
2.B.1
Procedure:
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
Detections:
12.B.1
Procedure:
Empire: 'whoami -all -fo list' via PowerShell
Detections:
12.E.1.1
Procedure:
Empire: WinEnum module included enumeration of user information
Detections:
20.B.1
Procedure:
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
Detections:
2.D.1
Procedure:
Cobalt Strike: 'sc query' via cmd
Detections:
2.D.2
Procedure:
Cobalt Strike: 'net start' via cmd
Detections:
12.D.1
Procedure:
Empire: 'net start' via PowerShell
Detections:
12.E.1.8
Procedure:
Empire: WinEnum module included enumeration of services
Detections:
16.H.1
Procedure:
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
Detections:
16.J.1
Procedure:
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
Detections:
17.A.1.1
Procedure:
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
Detections:
16.F.1
Procedure:
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Detections:
12.E.1
Procedure:
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Detections:
15.A.1.1
Procedure:
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Detections:
11.A.1
Procedure:
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Detections:
1.A.1.3
Procedure:
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Detections:
7.A.1.2
Procedure:
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
16.L.1
Procedure:
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Detections:
1.A.1.1
Procedure:
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
Detections:
19.C.1
Procedure:
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Detections:
9.B.1.2
Procedure:
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
16.G.1
Procedure:
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Detections:
6.C.1
Procedure:
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Detections:
10.B.1.2
Procedure:
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Detections:
20.A.1.2
Procedure:
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
Detections:
16.A.1.2
Procedure:
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Detections:
16.B.1.2
Procedure:
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)
Detections:
16.D.1.1
Procedure:
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Detections:
1.B.1
Procedure:
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Detections:
10.A.1
Procedure:
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Detections:
7.A.1.1
Procedure:
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Detections:
16.I.1.1
Procedure:
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Detections:
17.C.1
Procedure:
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Detections:
20.A.1.1
Procedure:
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections:
3.A.1.1
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Detections:
14.A.1.1
Procedure:
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Detections:
3.A.1.2
Procedure:
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Detections:
5.B.1
Procedure:
Cobalt Strike: Built-in token theft capability executed to change user context to George
Detections:
1.B.1
Procedure:
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Detections:
10.A.1
Procedure:
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Detections:
16.I.1.1
Procedure:
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
Detections:
17.C.1
Procedure:
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Detections:
20.A.1.1
Procedure:
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Detections:
3.C.1
Procedure:
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Detections:
5.A.1.2
Procedure:
Cobalt Strike: Credential dump capability involved process injection into lsass
Detections:
5.A.2.2
Procedure:
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Detections:
8.D.1.2
Procedure:
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Detections:
7.C.1
Procedure:
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Detections:
10.A.2
Procedure:
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Detections:
16.D.1.2
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Detections:
10.B.1.1
Procedure:
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Detections:
16.B.1.1
Procedure:
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Detections: