The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Trend Micro  >  Results
Trend Micro: Results
Participant Configuration:  APT29Carbanak+FIN7

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

[1]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

Procedure

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from cmd.exe

[1]

[2]

[3]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

[1]

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

Procedure

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe creating the file draft.zip

[1]

Procedure

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe creating the file draft.zip

[1]

Procedure

Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

Criteria

The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

[1]

Procedure

Dropped stage 2 payload (monkey.png) to disk

Criteria

The rcs.3aka3.doc process creating the file monkey.png

[1]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

[2]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

[2]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is HTTPS

[1]

Procedure

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

[1]

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria

powershell.exe creating the file SysinternalsSuite.zip

[1]

Procedure

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria

powershell.exe creating the file SysinternalsSuite.zip

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from powershell.exe

[1]

Procedure

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria

powershell.exe executing Expand-Archive

[1]

[2]

Procedure

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria

powershell.exe executing Expand-Archive

[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

[2]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

[2]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

Procedure

Enumerated user's temporary directory path using PowerShell

Criteria

powershell.exe executing $env:TEMP

[1]

Procedure

Enumerated the current username using PowerShell

Criteria

powershell.exe executing $env:USERNAME

[1]

Procedure

Enumerated the computer hostname using PowerShell

Criteria

powershell.exe executing $env:COMPUTERNAME

[1]

Procedure

Enumerated the current domain name using PowerShell

Criteria

powershell.exe executing $env:USERDOMAIN

[1]

Procedure

Enumerated the current process ID using PowerShell

Criteria

powershell.exe executing $PID

[1]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

Procedure

Enumerated anti-virus software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

[1]

Procedure

Enumerated anti-virus software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

[1]

Procedure

Enumerated firewall software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

[1]

Procedure

Enumerated firewall software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

[1]

Procedure

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria

powershell.exe executing the NetUserGetGroups API

[1]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

Procedure

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria

powershell.exe executing the NetUserGetLocalGroups API

[1]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Read the Chrome SQL database file to extract encrypted credentials

Criteria

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

[1]

Procedure

Read the Chrome SQL database file to extract encrypted credentials

Criteria

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

[1]

Procedure

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria

accesschk.exe executing the CryptUnprotectedData API

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

[1]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

[1]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

[2]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Captured and saved screenshots using PowerShell

Criteria

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

[1]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

[1]

[2]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

[1]

[2]

Procedure

Read data in the user's Downloads directory using PowerShell

Criteria

powershell.exe reading files in C:\Users\pam\Downloads\

[1]

Procedure

Read data in the user's Downloads directory using PowerShell

Criteria

powershell.exe reading files in C:\Users\pam\Downloads\

[1]

Procedure

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria

powershell.exe creating the file OfficeSupplies.7z

[1]

Procedure

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria

powershell.exe creating the file OfficeSupplies.7z

[1]

Procedure

Encrypted data from the user's Downloads directory using PowerShell

Criteria

powershell.exe executing Compress-7Zip with the password argument used for encryption

[1]

Procedure

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

[1]

Procedure

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

[1]

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria

powershell.exe executing Get-Process

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria

The file python.exe created on Scranton (10.0.1.4)

[1]

Procedure

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria

The file python.exe created on Scranton (10.0.1.4)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria

The file python.exe created on Scranton (10.0.1.4)

[1]

Procedure

python.exe payload was packed with UPX

Criteria

Evidence that the file python.exe is packed

[1]

Procedure

python.exe payload was packed with UPX

Criteria

Evidence that the file python.exe is packed

[1]

Procedure

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria

Successful logon as user Pam on Scranton (10.0.1.4)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria

Successful logon as user Pam on Scranton (10.0.1.4)

[1]

[2]

Procedure

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

[1]

Procedure

Executed python.exe using PSExec

Criteria

python.exe spawned by PSEXESVC.exe

[1]

Procedure

Executed python.exe using PSExec

Criteria

python.exe spawned by PSEXESVC.exe

[1]

Procedure

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file rar.exe

[1]

Procedure

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file sdelete64.exe

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from python.exe

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

[1]

Procedure

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria

powershell.exe creating the file working.zip

[1]

Procedure

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria

powershell.exe creating the file working.zip

[1]

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

[1]

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

[1]

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

[1]

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

[1]

Procedure

Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)

Criteria

python.exe reading the file working.zip while connected to the C2 channel

[1]

[2]

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

Procedure

Deleted SDelete on disk using cmd.exe del command

Criteria

cmd.exe deleting the file sdelete64.exe

Procedure

Executed persistent service (javamtsup) on system startup

Criteria

javamtsup.exe spawning from services.exe

[1]

Procedure

Executed persistent service (javamtsup) on system startup

Criteria

javamtsup.exe spawning from services.exe

[1]

Procedure

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

[1]

Procedure

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

[1]

Procedure

Executed PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe executing the CreateProcessWithToken API

[1]

Procedure

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

[1]

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

[2]

[3]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

Procedure

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria

Established network channel over the HTTPS protocol

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria

Established network channel over the HTTPS protocol

[1]

Procedure

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

[1]

Procedure

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

[1]

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated the computer name using the GetComputerNameEx API

Criteria

powershell.exe executing the GetComputerNameEx API

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Enumerated the domain name using the NetWkstaGetInfo API

Criteria

powershell.exe executing the NetWkstaGetInfo API

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Enumerated the current username using the GetUserNameEx API

Criteria

powershell.exe executing the GetUserNameEx API

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria

powershell.exe executing the CreateToolhelp32Snapshot API

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

[2]

Procedure

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Created and executed a WMI class using PowerShell

Criteria

WMI Process (WmiPrvSE.exe) executing powershell.exe

[1]

Procedure

Created and executed a WMI class using PowerShell

Criteria

WMI Process (WmiPrvSE.exe) executing powershell.exe

[1]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

Footnotes

  • The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change.
[1]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

[1]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria

powershell.exe executing Set-WmiInstance

[1]

Procedure

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria

powershell.exe executing Get-WmiInstance

[1]

Procedure

Enumerated logged on users using PowerShell

Criteria

powershell.exe executing $env:UserName

[1]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

Procedure

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

[1]

[2]

Procedure

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

[1]

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll

Criteria

powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll

Footnotes

  • The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation.
[1]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

[1]

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

[1]

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

Procedure

Read and collected a local file using PowerShell

Criteria

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Read and collected a local file using PowerShell

Criteria

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Staged collected file into directory using PowerShell

Criteria

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Staged collected file into directory using PowerShell

Criteria

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Compressed a staging directory using PowerShell

Criteria

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

[1]

Procedure

Compressed a staging directory using PowerShell

Criteria

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

[1]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

Procedure

Exfiltrated staged collection to an online OneDrive account using PowerShell

Criteria

powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

[1]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

[1]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

[1]

Procedure

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring

Footnotes

  • New detection logic was applied for mapping specific techniques
[1]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • Process Monitoring
  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques
[1]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring

Footnotes

  • new data sources were enabled
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
[1]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
[1]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Script Logs
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Script Logs
  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

[2]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
  • Script Logs

Footnotes

  • New detection logic was applied for mapping specific techniques
[1]

[2]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • Machine Learning
[1]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • Windows Event Logs
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Windows Event Logs
[1]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Windows Event Logs

Footnotes

  • New detection logic was applied for mapping specific techniques
[1]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
[1]

Criteria

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

[2]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Process Monitoring
[1]

Criteria

Value added to Registry is base64 encoded

Data Sources

  • Windows Registry
[1]

[2]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

Data Sources

  • Network Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

[1]

Criteria

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Script Logs
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Network Monitoring
[1]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Network Monitoring
[1]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Script Logs
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Process Monitoring
  • Script Logs
  • Windows Registry
[1]

[2]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Windows Registry
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads runtime from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

[2]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
  • Windows Event Logs
[1]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

[2]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Network Monitoring
  • Windows Event Logs
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Network Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • File Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Windows Event Logs
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • File Monitoring
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Data Sources

  • Network Monitoring
[1]

Criteria

tiny.exe loads system.management.automation.dll

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

[2]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Windows Event Logs
[1]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Data Sources

  • Network Monitoring
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Data Sources

  • Network Monitoring
[1]

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Network Monitoring
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Network Monitoring
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Network Monitoring
  • Windows Event Logs
[1]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

dir lists the contents of C:\Users\Public

Data Sources

  • Process Monitoring
[1]

Criteria

dir lists the contents of C:\Users\Public

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied.
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied.
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Criteria

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring

Footnotes

  • logging errors fixed
[1]

[2]

[3]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • File Monitoring
  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring

Footnotes

  • logging errors fixed
[1]

Criteria

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring

Footnotes

  • logging errors fixed
[1]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring
[1]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring

Footnotes

  • logging error fixed.
[1]

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry

Footnotes

  • New detection logic was applied for mapping specific techniques
[1]

[2]

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Windows Registry

Footnotes

  • fixed logging error.
[1]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Data Sources

  • Process Monitoring

Footnotes

  • logging error fixed.
[1]

[2]

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring

Footnotes

  • logging error fixed
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Network Monitoring
  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Network Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring

Footnotes

  • Additional DDE Context can be found at https://docs.microsoft.com/en-us/windows/win32/dataxchg/about-dynamic-data-exchange
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • Script Logs
  • Process Monitoring
  • File Monitoring
[1]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • File Monitoring
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • DLL Monitoring

Footnotes

  • new detection logic was applied.
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Windows Event Logs
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Windows Event Logs
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • File Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Data Sources

  • Network Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Script Logs
[1]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Script Logs
[1]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Script Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • Windows Event Logs
[1]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • Windows Event Logs

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
[1]

Criteria

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

[3]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe loads shellcode from network connection into memory

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

powershell.exe calls the CreateToolhelp32Snapshot() API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Machine Learning
[1]

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe calls the GetIpNetTable() API

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Network Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Process Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Process Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Network Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Network Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Windows Registry
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Network Monitoring
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • File Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • Machine Learning
[1]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • File Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • DLL Monitoring
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • DLL Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Network Monitoring
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Windows Event Logs
  • Network Monitoring
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Network Monitoring
[1]

[2]

Criteria

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • File Monitoring
  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Windows Registry
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
[1]

Criteria

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
[1]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
[1]

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • Machine Learning
[1]

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • Process Monitoring

Footnotes

  • new detection logic was applied for mapping specific techniques.
[1]

Criteria

rundll32.exe reads and uploads log.7z to 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring

Footnotes

  • fixed logging error.
[1]

[2]

[3]