Home > Participant Comparison Tool
|
Need help using this tool? Try taking our tour!
Home > Participant Comparison Tool
|
1.A.1
Standard Cryptographic Protocol (T1032)
= |
Procedure:Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic |
= |
Criteria:Evidence that the network data sent over the C2 channel is encrypted |
1.A.2
Windows Remote Management (T1028)
= |
Procedure:Established WinRM connection to remote host Scranton (10.0.1.4) |
= |
Criteria:Network connection to Scranton (10.0.1.4) over port 5985 |
Participant A |
Participant B |
---|---|
TechniqueAlertA Technique alert
detection (warning severity) called "WinRM Remote Execution" was generated
due to the execution of wsmprovhost.exe.[1]
|
TechniqueAlertA Technique alert
detection (red indicator) was generated for "Powershell or WinRM remoting
activity" based on wsmprovhost.exe.
|
TelemetryplaceholderTelemetry showed network
connection to a remote host over port TCP 1234.
|
TelemetryCorrelatedTelemetry showed network
connection to a remote host over port TCP 1234. The
detection was correlated to a parent alert.
|