Home >
Enterprise >
Participants >
Kaspersky >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Enumerated user's temporary directory path using PowerShell
Criteria
powershell.exe executing $env:TEMP
Procedure
Enumerated the current username using PowerShell
Criteria
powershell.exe executing $env:USERNAME
Procedure
Enumerated the computer hostname using PowerShell
Criteria
powershell.exe executing $env:COMPUTERNAME
Procedure
Enumerated the current domain name using PowerShell
Criteria
powershell.exe executing $env:USERDOMAIN
Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Footnotes
- Unable to test because execution blocked by the vendor solution.
Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Procedure
Executed PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe executing the CreateProcessWithToken API
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance
Procedure
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria
powershell.exe executing Get-WmiInstance
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
Procedure
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria
powershell.exe executing the ConvertSidToStringSid API
Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account