The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  BlackBerry Cylance

BlackBerry Cylance Overview
Participant Configuration:  APT29,  Carbanak+FIN7


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that BlackBerry Cylance has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018) - - - -
APT29 (2020)
206   across  134 substeps
75  of  134 substeps
105  of  134 substeps
110  of  134 substeps
Carbanak+FIN7 (2021)
253   across  174 substeps
99  of  174 substeps
134  of  174 substeps
141  of  174 substeps
Wizard Spider and Sandworm (2022) - - - -
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
2.A.4
Procedure:

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe executing Compress-Archive

Detections:
2.A.5
Procedure:

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe creating the file draft.zip

Detections:
7.B.2
Procedure:

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria:

powershell.exe creating the file OfficeSupplies.7z

Detections:
7.B.3
Procedure:

Encrypted data from the user's Downloads directory using PowerShell

Criteria:

powershell.exe executing Compress-7Zip with the password argument used for encryption

Detections:
9.B.6
Procedure:

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Detections:
9.B.7
Procedure:

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe

Detections:
17.C.1
Procedure:

Compressed a staging directory using PowerShell

Criteria:

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

Detections:
20.B.4
Criteria:

7za.exe creates C:\Users\Public\log.7z

Detections:
2.A.2
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
9.B.3
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
7.A.2
Procedure:

Captured clipboard contents using PowerShell

Criteria:

powershell.exe executing Get-Clipboard

Detections:
9.B.5
Procedure:

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria:

powershell.exe creating the file working.zip

Detections:
17.B.2
Procedure:

Staged collected file into directory using PowerShell

Criteria:

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

Detections:
2.A.3
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
7.B.1
Procedure:

Read data in the user's Downloads directory using PowerShell

Criteria:

powershell.exe reading files in C:\Users\pam\Downloads\

Detections:
9.B.4
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
17.B.1
Procedure:

Read and collected a local file using PowerShell

Criteria:

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

Detections:
5.B.5
Tux
Criteria:

User kmitnick reads network-diagram-financial.xml via cat

Detections:
5.B.6
Tux
Criteria:

User kmitnick reads help-desk-ticket.txt via cat

Detections:
9.A.5
Criteria:

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Detections:
17.A.1
Procedure:

Dumped messages from the local Outlook inbox using PowerShell

Criteria:

outlook.exe spawning from svchost.exe or powershell.exe

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
7.A.1
Procedure:

Captured and saved screenshots using PowerShell

Criteria:

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

Detections:
2.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
9.A.4
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
13.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
18.A.2
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
7.A.3
Criteria:

plink.exe transmits data to 192.168.0.4 over SSH protocol

Detections:
12.A.3
Criteria:

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Detections:
3.B.4
Procedure:

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is HTTPS

Detections:
11.A.14
Procedure:

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria:

Established network channel over the HTTPS protocol

Detections:
1.A.10
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.2
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.6
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.8
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.5
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.3
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
3.B.3
Procedure:

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria:

Established network channel over port 443

Detections:
11.A.13
Procedure:

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria:

Established network channel over port 443

Detections:
3.B.5
Procedure:

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
11.A.15
Procedure:

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
1.A.11
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.3
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.9
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.6
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.4
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.A.4
Procedure:

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
3.A.1
Procedure:

Dropped stage 2 payload (monkey.png) to disk

Criteria:

The rcs.3aka3.doc process creating the file monkey.png

Detections:
4.A.1
Procedure:

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria:

powershell.exe creating the file SysinternalsSuite.zip

Detections:
8.B.1
Procedure:

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria:

The file python.exe created on Scranton (10.0.1.4)

Detections:
9.A.1
Procedure:

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file rar.exe

Detections:
9.A.2
Procedure:

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file sdelete64.exe

Detections:
14.B.3
Procedure:

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria:

powershell.exe downloading and/or the file write of m.exe

Detections:
2.B.1
Criteria:

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Detections:
3.B.1
Criteria:

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Detections:
4.B.1
Criteria:

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Detections:
4.B.2
Criteria:

powershell.exe downloads smrs.exe from 192.168.0.4

Detections:
5.A.1
Criteria:

powershell.exe downloads pscp.exe from 192.168.0.4

Detections:
5.A.2
Criteria:

powershell.exe downloads psexec.py from 192.168.0.4

Detections:
5.A.3
Criteria:

powershell.exe downloads runtime from 192.168.0.4

Detections:
5.A.4
Criteria:

powershell.exe downloads plink.exe from 192.168.0.4

Detections:
5.A.5
Criteria:

powershell.exe downloads tiny.exe from 192.168.0.4

Detections:
7.A.1
Criteria:

tiny.exe downloads plink.exe from 192.168.0.4

Detections:
7.C.1
Criteria:

scp.exe downloads Java-Update.exe from 192.168.0.4

Detections:
7.C.3
Criteria:

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Detections:
9.A.1
Criteria:

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Detections:
9.B.1
Criteria:

explorer.exe downloads infosMin48.exe from 192.168.0.4

Detections:
10.A.1
Criteria:

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Detections:
10.A.2
Criteria:

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Detections:
12.B.1
Criteria:

Adb156.exe downloads stager.ps1 from 192.168.0.6

Detections:
13.B.1
Criteria:

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Detections:
15.A.2
Criteria:

powershell.exe downloads samcat.exe from 192.168.0.4

Detections:
15.A.3
Criteria:

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Detections:
16.A.1
Criteria:

powershell.exe downloads paexec.exe from 192.168.0.4

Detections:
16.A.2
Criteria:

powershell.exe downloads hollow.exe from 192.168.0.4

Detections:
17.A.1
Criteria:

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Detections:
19.B.3
Criteria:

powershell.exe downloads dll329.dll from 192.168.0.4

Detections:
19.B.4
Criteria:

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Detections:
20.B.1
Criteria:

rundll32.exe downloads debug.exe from 192.168.0.4

Detections:
20.B.3
Criteria:

rundll32.exe downloads 7za.exe from 192.168.0.4

Detections:
1.A.3
Procedure:

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria:

Established network channel over port 1234

Detections:
3.B.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over TCP

Detections:
19.A.3
Criteria:

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Detections:
10.B.1
Criteria:

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Detections:
18.A.1
Procedure:

Mapped a network drive to an online OneDrive account using PowerShell

Criteria:

net.exe with command-line arguments then making a network connection to a public IP over port 443

Detections:
4.A.3
Criteria:

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Detections:
6.A.2
Procedure:

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria:

accesschk.exe executing the CryptUnprotectedData API

Detections:
9.B.2
Criteria:

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
14.B.4
Procedure:

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria:

m.exe injecting into lsass.exe to dump credentials

Detections:
16.D.2
Procedure:

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria:

m.exe injecting into lsass.exe to dump credentials

Detections:
4.B.7
Criteria:

smrs.exe opens and reads lsass.exe

Detections:
15.A.6
Criteria:

samcat.exe opens and reads the SAM via LSASS

Detections:
6.C.1
Procedure:

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria:

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

Detections:
6.A.1
Procedure:

Read the Chrome SQL database file to extract encrypted credentials

Criteria:

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

Detections:
6.B.1
Procedure:

Exported a local certificate to a PFX file using PowerShell

Criteria:

powershell.exe creating a certificate file exported from the system

Detections:
3.B.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
14.A.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
4.B.5
Criteria:

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
15.A.5
Criteria:

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
10.B.3
Procedure:

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria:

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Detections:
4.A.3
Procedure:

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria:

powershell.exe executing Expand-Archive

Detections:
11.A.10
Procedure:

Decoded an embedded DLL payload to disk using certutil.exe

Criteria:

certutil.exe decoding kxwn.lock

Detections:
14.B.6
Procedure:

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria:

powershell.exe executing Get-WmiInstance

Detections:
1.A.5
Criteria:

wscript.exe decodes content and creates starter.vbs

Detections:
1.A.6
Criteria:

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Detections:
3.B.5
Criteria:

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Detections:
5.C.6
Criteria:

tiny.exe loads shellcode from network connection into memory

Detections:
11.A.5
Criteria:

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Detections:
14.A.3
Criteria:

powershell.exe decodes an embedded DLL payload

Detections:
14.A.5
Criteria:

powershell.exe loads shellcode from network connection into memory

Detections:
11.A.2
Procedure:

Executed an alternate data stream (ADS) using PowerShell

Criteria:

powershell.exe executing the schemas ADS via Get-Content and IEX

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
10.A.3
Criteria:

netsh adds Service Host rule for TCP port 5900

Detections:
4.B.2
Procedure:

Deleted rcs.3aka3.doc on disk using SDelete

Criteria:

sdelete64.exe deleting the file rcs.3aka3.doc

Detections:
4.B.3
Procedure:

Deleted Draft.zip on disk using SDelete

Criteria:

sdelete64.exe deleting the file draft.zip

Detections:
4.B.4
Procedure:

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria:

sdelete64.exe deleting the file SysinternalsSuite.zip

Detections:
9.C.1
Procedure:

Deleted rar.exe on disk using SDelete

Criteria:

sdelete64.exe deleting the file rar.exe

Detections:
9.C.2
Procedure:

Deleted working.zip (from Desktop) on disk using SDelete

Criteria:

sdelete64.exe deleting the file \Desktop\working.zip

Detections:
9.C.3
Procedure:

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria:

sdelete64.exe deleting the file \AppData\Roaming\working.zip

Detections:
9.C.4
Procedure:

Deleted SDelete on disk using cmd.exe del command

Criteria:

cmd.exe deleting the file sdelete64.exe

Detections:
9.B.3
Criteria:

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Detections:
12.A.2
Procedure:

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria:

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

Detections:
6.A.3
Procedure:

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria:

Evidence that accesschk.exe is not the legitimate Sysinternals tool

Detections:
17.A.2
Criteria:

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Detections:
11.A.6
Criteria:

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Detections:
1.A.2
Procedure:

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria:

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

Detections:
3.C.1
Procedure:

Modified the Registry to remove artifacts of COM hijacking

Criteria:

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Detections:
14.A.3
Procedure:

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria:

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Detections:
3.A.2
Criteria:

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Detections:
4.B.4
Criteria:

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Detections:
10.A.5
Criteria:

Addition of subkeys in HKLM\Software\TightVNC\Server

Detections:
10.A.6
Criteria:

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
14.B.5
Procedure:

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria:

powershell.exe executing Set-WmiInstance

Detections:
17.C.2
Procedure:

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria:

powershell.exe executing Set-Content

Detections:
1.A.4
Criteria:

unprotected.vbe is an encoded file

Detections:
3.A.3
Criteria:

Value added to Registry is base64 encoded

Detections:
11.A.2
Criteria:

2-list.rtf contains an embedded lnk payload that is dropped to disk

Detections:
19.B.2
Criteria:

powershell.exe executes base64 encoded commands

Detections:
8.B.2
Procedure:

python.exe payload was packed with UPX

Criteria:

Evidence that the file python.exe is packed

Detections:
3.A.2
Procedure:

Embedded PowerShell payload in monkey.png using steganography

Criteria:

Evidence that a PowerShell payload was within monkey.png

Detections:
9.A.3
Criteria:

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.3
Criteria:

explorer.exe injects into mstsc.exe with CreateRemoteThread

Detections:
20.A.2
Criteria:

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Detections:
16.A.7
Criteria:

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Detections:
11.A.3
Criteria:

winword.exe spawns mshta.exe

Detections:
20.A.1
Procedure:

Executed Run key persistence payload on user login using RunDll32

Criteria:

rundll32.exe executing kxwn.lock

Detections:
5.C.1
Criteria:

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Detections:
20.B.1
Procedure:

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria:

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

Detections:
8.C.1
Procedure:

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria:

Successful logon as user Pam on Scranton (10.0.1.4)

Detections:
16.C.2
Procedure:

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria:

Successful logon as user MScott on NewYork (10.0.0.4)

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
11.A.3
Procedure:

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_BIOS

Detections:
13.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_BIOS

Detections:
6.A.3
Criteria:

PowerShell executes Get-NetUser

Detections:
2.A.1
Procedure:

Searched filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
4.C.1
Procedure:

Enumerated user's temporary directory path using PowerShell

Criteria:

powershell.exe executing $env:TEMP

Detections:
9.B.2
Procedure:

Searched filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
11.A.9
Procedure:

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria:

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

Detections:
12.A.1
Procedure:

Enumerated the System32 directory using PowerShell

Criteria:

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

Detections:
4.A.1
Criteria:

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Detections:
5.B.4
Tux
Criteria:

User kmitnick executes ls -lsahR /var/

Detections:
7.C.2
Criteria:

dir lists the contents of C:\Users\Public

Detections:
13.A.3
Criteria:

cmd.exe executes net view

Detections:
11.A.5
Procedure:

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

Detections:
4.C.9
Procedure:

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria:

powershell.exe executing the NetUserGetGroups API

Detections:
4.C.11
Procedure:

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria:

powershell.exe executing the NetUserGetLocalGroups API

Detections:
4.B.1
Procedure:

Enumerated current running processes using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
4.C.5
Procedure:

Enumerated the current process ID using PowerShell

Criteria:

powershell.exe executing $PID

Detections:
8.A.3
Procedure:

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
11.A.8
Procedure:

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_Process

Detections:
13.D.1
Procedure:

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria:

powershell.exe executing the CreateToolhelp32Snapshot API

Detections:
14.B.2
Procedure:

Enumerated and tracked PowerShell processes using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
2.A.4
Criteria:

wscript.exe makes a WMI query for Win32_Process

Detections:
5.B.3
Tux
Criteria:

User kmitnick executes ps ax

Detections:
13.A.1
Criteria:

Adb156.exe makes a WMI query for Win32_Process

Detections:
15.A.1
Criteria:

powershell.exe calls the CreateToolhelp32Snapshot() API

Detections:
20.B.2
Criteria:

debug.exe calls the CreateToolhelp32Snapshot API

Detections:
12.C.1
Procedure:

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria:

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Detections:
12.C.2
Procedure:

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria:

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Detections:
3.B.4
Criteria:

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Detections:
8.A.1
Procedure:

Enumerated remote systems using LDAP queries

Criteria:

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

Detections:
16.A.1
Procedure:

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria:

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

Detections:
4.A.2
Criteria:

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Detections:
5.B.7
Tux
Criteria:

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Detections:
6.A.2
Criteria:

PowerShell executes Get-ADComputer

Detections:
15.A.8
Criteria:

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Detections:
4.C.7
Procedure:

Enumerated anti-virus software using PowerShell

Criteria:

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

Detections:
4.C.8
Procedure:

Enumerated firewall software using PowerShell

Criteria:

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

Detections:
12.B.1
Procedure:

Enumerated registered AV products using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

Detections:
4.C.3
Procedure:

Enumerated the computer hostname using PowerShell

Criteria:

powershell.exe executing $env:COMPUTERNAME

Detections:
4.C.6
Procedure:

Enumerated the OS version using PowerShell

Criteria:

powershell.exe executing Gwmi Win32_OperatingSystem

Detections:
11.A.4
Procedure:

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

Detections:
13.A.1
Procedure:

Enumerated the computer name using the GetComputerNameEx API

Criteria:

powershell.exe executing the GetComputerNameEx API

Detections:
2.A.2
Criteria:

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Detections:
12.A.5
Criteria:

Adb156.exe makes a WMI query for Win32_LogicalDisk

Detections:
13.A.6
Criteria:

Adb156.exe queries the COMPUTERNAME environment variable

Detections:
13.A.9
Criteria:

Adb156.exe makes a WMI query for Win32_OperatingSystem

Detections:
4.C.4
Procedure:

Enumerated the current domain name using PowerShell

Criteria:

powershell.exe executing $env:USERDOMAIN

Detections:
11.A.7
Procedure:

Checked that the computer is joined to a domain using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

Detections:
13.B.1
Procedure:

Enumerated the domain name using the NetWkstaGetInfo API

Criteria:

powershell.exe executing the NetWkstaGetInfo API

Detections:
12.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Detections:
13.A.8
Criteria:

Adb156.exe makes a WMI query for Win32_ComputerSystem

Detections:
15.A.7
Criteria:

powershell.exe calls the GetIpNetTable() API

Detections:
4.C.2
Procedure:

Enumerated the current username using PowerShell

Criteria:

powershell.exe executing $env:USERNAME

Detections:
11.A.6
Procedure:

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

Detections:
13.C.1
Procedure:

Enumerated the current username using the GetUserNameEx API

Criteria:

powershell.exe executing the GetUserNameEx API

Detections:
15.A.1
Procedure:

Enumerated logged on users using PowerShell

Criteria:

powershell.exe executing $env:UserName

Detections:
16.B.1
Procedure:

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria:

powershell.exe executing the ConvertSidToStringSid API

Detections:
7.B.1
Criteria:

powershell.exe executes qwinsta /server:cfo

Detections:
13.A.5
Criteria:

Adb156.exe queries the USERNAME environment variable

Detections:
11.A.3
Procedure:

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_BIOS

Detections:
13.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_BIOS

Detections:
1.A.9
Criteria:

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Detections:
12.A.2
Criteria:

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Detections:
1.B.2
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from cmd.exe

Detections:
4.A.2
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from powershell.exe

Detections:
9.B.1
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from python.exe

Detections:
11.A.12
Procedure:

Executed PowerShell stager payload

Criteria:

powershell.exe spawning from from the schemas ADS (powershell.exe)

Detections:
20.A.3
Procedure:

Executed PowerShell payload from WMI event subscription persistence

Criteria:

SYSTEM-level powershell.exe spawned from the powershell.exe

Detections:
2.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
3.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
4.B.3
Criteria:

powershell.exe executes rad353F7.ps1

Detections:
6.A.1
Criteria:

tiny.exe loads system.management.automation.dll

Detections:
13.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
14.A.2
Criteria:

cmd.exe spawns powershell.exe

Detections:
14.A.4
Criteria:

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Detections:
15.A.4
Criteria:

powershell.exe spawns powershell.exe

Detections:
19.B.1
Criteria:

powershell.exe spawns powershell.exe

Detections:
1.A.3
Criteria:

wscript.exe executes unprotected.vbe

Detections:
1.A.7
Criteria:

wscript.exe executes starter.vbs

Detections:
8.A.1
Criteria:

wscript.exe spawns Java-Update.exe

Detections:
11.A.4
Criteria:

mshta.exe executes an embedded VBScript payload

Detections:
1.B.1
Procedure:

Spawned interactive cmd.exe

Criteria:

cmd.exe spawning from the rcs.3aka3.doc process

Detections:
1.A.8
Criteria:

wscript.exe spawns cmd.exe

Detections:
2.B.2
Criteria:

wscript.exe spawns cmd.exe

Detections:
3.A.1
Criteria:

wscript.exe spawns cmd.exe

Detections:
3.B.2
Criteria:

wscript.exe spawns cmd.exe

Detections:
4.B.6
Criteria:

cmd.exe spawns smrs.exe

Detections:
5.A.6
Criteria:

powershell.exe spawns cmd.exe

Detections:
5.C.5
Criteria:

cmd.exe spawns tiny.exe

Detections:
7.A.2
Criteria:

tiny.exe spawns cmd.exe

Detections:
13.A.2
Criteria:

Adb156.exe spawns cmd.exe

Detections:
13.B.2
Criteria:

Adb156.exe spawns cmd.exe

Detections:
14.A.1
Criteria:

Adb156.exe spawns cmd.exe

Detections:
16.A.3
Criteria:

powershell.exe spawns cmd.exe

Detections:
17.A.3
Criteria:

svchost.exe spawns cmd.exe

Detections:
1.A.2
Criteria:

winword.exe loads VBE7.DLL

Detections:
11.A.7
Criteria:

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Detections:
4.C.10
Procedure:

Executed API call by reflectively loading Netapi32.dll

Criteria:

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

Detections:
4.C.12
Procedure:

Executed API call by reflectively loading Netapi32.dll

Criteria:

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

Detections:
10.B.2
Procedure:

Executed PowerShell payload via the CreateProcessWithToken API

Criteria:

hostui.exe executing the CreateProcessWithToken API

Detections:
16.B.2
Procedure:

Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll

Criteria:

powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll

Detections:
3.B.6
Criteria:

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
8.C.3
Procedure:

Executed python.exe using PSExec

Criteria:

python.exe spawned by PSEXESVC.exe

Detections:
10.A.1
Procedure:

Executed persistent service (javamtsup) on system startup

Criteria:

javamtsup.exe spawning from services.exe

Detections:
5.C.3
Criteria:

cmd.exe spawns from a service executable in C:\Windows\

Detections:
16.A.6
Criteria:

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Detections:
1.A.1
Criteria:

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Detections:
11.A.1
Criteria:

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Detections:
1.A.1
Procedure:

User Pam executed payload rcs.3aka3.doc

Criteria:

The rcs.3aka3.doc process spawning from explorer.exe

Detections:
11.A.1
Procedure:

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria:

powershell.exe spawning from explorer.exe

Detections:
14.B.1
Procedure:

Created and executed a WMI class using PowerShell

Criteria:

WMI Process (WmiPrvSE.exe) executing powershell.exe

Detections:
7.B.4
Procedure:

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria:

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

Detections:
2.B.1
Procedure:

Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

Criteria:

The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

Detections:
9.B.8
Procedure:

Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)

Criteria:

python.exe reading the file working.zip while connected to the C2 channel

Detections:
2.B.5
Criteria:

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Detections:
13.B.5
Criteria:

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Detections:
20.B.5
Criteria:

rundll32.exe reads and uploads log.7z to 192.168.0.4

Detections:
18.A.2
Procedure:

Exfiltrated staged collection to an online OneDrive account using PowerShell

Criteria:

powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account

Detections:
8.C.1
Procedure:

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria:

Successful logon as user Pam on Scranton (10.0.1.4)

Detections:
16.C.2
Procedure:

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria:

Successful logon as user MScott on NewYork (10.0.0.4)

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
16.D.1
Procedure:

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria:

File write of m.exe by the WinRM process (wsmprovhost.exe)

Detections:
5.A.9
Tux
Criteria:

Pscp.exe copies psexec.py to 10.0.0.7

Detections:
5.A.10
Tux
Criteria:

Pscp.exe copies runtime to 10.0.0.7

Detections:
5.A.11
Tux
Criteria:

Pscp.exe copies tiny.exe to 10.0.0.7

Detections:
5.C.4
Criteria:

tiny.exe is created on 10.0.0.4

Detections:
7.A.5
Criteria:

RDP session from the localhost over TCP port 3389

Detections:
7.B.3
Criteria:

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Detections:
19.A.2
Criteria:

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Detections:
8.C.2
Procedure:

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria:

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

Detections:
5.C.2
Criteria:

psexec.py connects to SMB shares on 10.0.0.4

Detections:
16.A.5
Criteria:

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Detections:
5.A.7
Tux
Criteria:

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Detections:
5.B.1
Tux
Criteria:

plink.exe connects over SSH (port 22) to 10.0.0.7

Detections:
8.A.2
Procedure:

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria:

Network connection to Scranton (10.0.1.4) over port 5985

Detections:
16.C.1
Procedure:

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria:

Network connection to NewYork (10.0.0.4) over port 5985

Detections:
20.B.2
Procedure:

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria:

Network connection to Scranton (10.0.1.4) over port 5985

Detections:
5.C.1
Criteria:

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Detections:
20.B.1
Procedure:

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria:

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

Detections:
5.B.1
Procedure:

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria:

powershell.exe creating the file hostui.lnk in the Startup folder

Detections:
10.B.1
Procedure:

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria:

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

Detections:
11.A.11
Procedure:

Established Registry Run key persistence using PowerShell

Criteria:

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Detections:
7.C.4
Criteria:

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
10.A.4
Criteria:

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Detections:
20.B.3
Procedure:

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria:

net.exe adding the user Toby

Detections:
5.A.1
Procedure:

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria:

powershell.exe creating the Javamtsup service

Detections:
19.B.5
Criteria:

sdbinst.exe installs sdbE376.tmp shim

Detections:
20.A.1
Criteria:

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Detections:
3.B.1
Procedure:

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria:

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

Detections:
14.A.1
Procedure:

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria:

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

Detections:
15.A.2
Procedure:

Established WMI event subscription persistence using PowerShell

Criteria:

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

Detections:
20.A.2
Procedure:

Executed WMI persistence on user login

Criteria:

The WMI process (wmiprvse.exe) executing powershell.exe

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
8.C.1
Procedure:

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria:

Successful logon as user Pam on Scranton (10.0.1.4)

Detections:
16.C.2
Procedure:

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria:

Successful logon as user MScott on NewYork (10.0.0.4)

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
3.B.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
14.A.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
4.B.5
Criteria:

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
15.A.5
Criteria:

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
10.B.3
Procedure:

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria:

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Detections:
5.B.1
Procedure:

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria:

powershell.exe creating the file hostui.lnk in the Startup folder

Detections:
10.B.1
Procedure:

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria:

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

Detections:
11.A.11
Procedure:

Established Registry Run key persistence using PowerShell

Criteria:

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Detections:
7.C.4
Criteria:

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
10.A.4
Criteria:

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Detections:
5.A.1
Procedure:

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria:

powershell.exe creating the Javamtsup service

Detections:
19.B.5
Criteria:

sdbinst.exe installs sdbE376.tmp shim

Detections:
20.A.1
Criteria:

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Detections:
3.B.1
Procedure:

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria:

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

Detections:
14.A.1
Procedure:

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria:

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

Detections:
15.A.2
Procedure:

Established WMI event subscription persistence using PowerShell

Criteria:

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

Detections:
20.A.2
Procedure:

Executed WMI persistence on user login

Criteria:

The WMI process (wmiprvse.exe) executing powershell.exe

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
9.A.3
Criteria:

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.3
Criteria:

explorer.exe injects into mstsc.exe with CreateRemoteThread

Detections:
20.A.2
Criteria:

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Detections:
16.A.7
Criteria:

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
8.C.1
Procedure:

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria:

Successful logon as user Pam on Scranton (10.0.1.4)

Detections:
16.C.2
Procedure:

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria:

Successful logon as user MScott on NewYork (10.0.0.4)

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:

Results Graphs

Detections Type Distribution by Step


Detections Type Distribution by Sub-step


Detection Type Frequency by Sub-step