The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Check Point  >  Results
Check Point: Results
Participant Configuration:  Carbanak+FIN7

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring
[1]

[2]

[3]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Process Monitoring
  • File Monitoring
  • Script Logs
[1]

[2]

[3]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • Script Logs
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

[2]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

[3]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Process Monitoring
[1]

Criteria

Value added to Registry is base64 encoded

Data Sources

  • Process Monitoring
[1]

Criteria

Value added to Registry is base64 encoded

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

[4]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs
  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Script Logs
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Process Monitoring
  • Network Monitoring
  • Script Logs
[1]

[2]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

[3]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

[3]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads runtime from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads runtime from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Criteria

tiny.exe loads system.management.automation.dll

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

[2]

Criteria

tiny.exe loads system.management.automation.dll

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

[2]

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Network Monitoring
  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

dir lists the contents of C:\Users\Public

Criteria

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

[3]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring

Criteria

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring
[1]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

[2]

[3]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • File Monitoring
  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

[2]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

[2]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

[2]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • DLL Monitoring
  • Process Monitoring

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

[2]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring
[1]

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

[3]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe loads shellcode from network connection into memory

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe calls the CreateToolhelp32Snapshot() API

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe calls the CreateToolhelp32Snapshot() API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Sandbox

Footnotes

  • Delayed results due to sandbox execution
[1]

Criteria

powershell.exe calls the GetIpNetTable() API

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Process Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

[3]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Named Pipes
  • Process Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • File Monitoring
[1]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • DLL Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • Process Monitoring
  • File Monitoring
  • DLL Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

[2]

[3]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

[2]

[3]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring

Footnotes

  • Increased the set of API calls collected per process
[1]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Network Monitoring
  • Process Monitoring
  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Network Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Data Sources

  • Network Monitoring
  • Process Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Data Sources

  • Windows Registry
  • Process Monitoring

Footnotes

  • Increased collection of Registry activity
[1]

Criteria

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Data Sources

  • Windows Registry
  • Process Monitoring

Footnotes

  • Increased collection of Registry activity
[1]

[2]

[3]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

rundll32.exe reads and uploads log.7z to 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]