Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
A Technique detection named "User Execution" (Low) was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Component Object Model and Distributed COM" was generated when winword.exe loaded VBE7.dll and spawned 1-list.rtf.
[1]
|
|
|
|
|
A Technique detection named "Scripting" (Medium) was generated when wscript.exe spawned unprotected.vbe.
[1]
[2]
|
|
|
|
A General detection named "gen.win.ofcsuspscr.a" (Medium) was generated when an Office application (winword.exe) executed a suspicious scripting process (wscript.exe).
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Obfuscated Files or Information" was generated when unprotected.vbe was encoded.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Deobfuscate/Decode Files or Information" was generated when wscript.exe decoded and created starter.vbs.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Deobfuscate/Decode Files or Information" was generated when wscript.exe decoded and created TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
A Technique detection named "Scripting" (Medium) was generated when wscript.exe executed starter.vbs.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Scripting" (Medium) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Standard Application Layer Protocol" (Medium) was generated when wscript.exe connected to 192.168.0.4 over HTTPS.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Standard Cryptographic Protocol" was generated when wscript.exe connected to 192.168.0.4 over HTTPS.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "System Information Discovery" (Medium) was generated when wscript.exe made a WMI query for Win32_OperatingSystem.
[1]
[2]
|
|
|
|
|
A Technique detection named "Process Discovery" (Medium) was generated when wscript.exe made a WMI query for Win32_Process.
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when wscript.exe downloaded screenshot__.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "PowerShell" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Screen Capture" (Medium) was generated when powershell.exe executed BitBlt.
[1]
[2]
[3]
|
|
|
|
|
|
|
|
|
A Technique detection named "Exfiltration Over Command and Control Channel" (Medium) was generated when wscript.exe uploaded screenshot__.png to 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Modify Registry" was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Obfuscated Files or Information" was generated when cmd.exe spawned reg.exe to modify the registry with base64 encoded data.
[1]
[2]
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "PowerShell" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Query Registry" was generated when the use of Get-ItemProperty was identified in script content.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Deobfuscate/Decode Files or Information" was generated when powershell.exe decrypted, decompressed, and base64 decoded the Registry value into plaintext shellcode.
[1]
|
|
|
|
|
A Technique detection named "Execution through API" was generated when powershell.exe executed the shellcode from the Registry by calling the CreateThread() API.
[1]
|
|
|
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
Technique
(Configuration Change (Data Sources), Configuration Change (Detection Logic))
|
A Technique detection named "File and Directory Discovery" was generated when powershell.exe called the FindFirstFileW() and FindNextFileW() APIs.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote System Discovery" was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Brute Force" was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "PowerShell" (Medium) was generated when powershell.exe executed rad353F7.ps1.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Modify Registry" (Low) was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Bypass User Account Control" was generated when powershell.exe modified a Registry value to facilitate UAC bypass.
[1]
[2]
|
|
|
|
A General detection named "gen.win.uacpsmssettings" (High) was generated when malware associated with UAC bypass was identified.
[1]
[2]
[3]
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Credential Dumping" (Medium) was generated when smrs.exe opened and read lsass.exe.
[1]
[2]
[3]
|
|
A General detection named "HEUR: Trojan-PSW.Win64.Mimikatz.gen" (Medium) was generated when smrs.exe was identified as Mimikatz.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when powershell.exe downloaded pscp.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when powershell.exe downloaded psexec.py from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" (Medium) was generated when powershell.exe downloaded runtime from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" (Medium) was generated when powershell.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" (Medium) was generated when powershell.exe downloaded tiny.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Services" was generated when pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when pscp.exe copied psexec.py to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when pscp.exe copied runtime to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when pscp.exe copied tiny.exe to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Remote Services" was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Process Discovery" was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
A Technique detection named "File and Directory Discovery" was generated when user kmitnick executed ls -lsahR /var/.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Data from Local System" was generated when user kmitnick read network-diagram-financial.xml via cat.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Data from Local System" was generated when user kmitnick read help-desk-ticket.txt via cat.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote System Discovery" was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Pass the Hash" was generated when psexec.py was executed with command-line arguments that indicated pass the hash.
[1]
|
|
|
|
|
A Technique detection named "Windows Admin Shares" was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Service Execution" (Medium) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when tiny.exe was created on 10.0.0.4.
[1]
|
|
|
|
|
A Technique detection named "Command-Line Interface" was generated when cmd.exe spawned tiny.exe.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell" was generated when tiny.exe loaded system.management.automation.dll.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote System Discovery" was generated when PowerShell executed Get-ADComputer.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Account Discovery" was generated when PowerShell executed Get-NetUser.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Remote File Copy" (Medium) was generated when tiny.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Command-Line Interface" (Medium) was generated when tiny.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote Desktop Protocol" was generated when an RDP session was created from localhost over port 3389.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "System Owner/User Discovery" was generated when powershell.exe executed qwinsta /server:cfo.
[1]
[2]
|
|
|
|
|
A Technique detection named "Valid Accounts" was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote Desktop Protocol" was generated when n RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Remote File Copy" was generated when cmd.exe downloaded Java-Update.vbs from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Registry Run Keys / Startup Folder" was generated when the Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Scripting" (Medium) was generated when wscript.exe executed Java-Update.vbs, which spawned Java-Update.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Standard Application Layer Protocol" (Medium) was generated when Java-Update.exe exchanged data with 192.168.0.4 over HTTPS (port 80).
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Standard Cryptographic Protocol" was generated when Java-Update.exe exchanged data with 192.168.0.4 over HTTPS (port 80).
[1]
[2]
|
|
|
|
|
A Technique detection named "Remote File Copy" (Medium) was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Input Capture" (Medium) was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API to log keystrokes, which resulted in the process being marked as Damaged.
[1]
[2]
[3]
|
|
|
|
|
|
|
|
|
A Technique detection named "Process Injection" (Medium) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
[2]
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
Technique
(Configuration Change (Data Sources))
|
A Technique detection named "Screen Capture" was generated when explorer.exe executed the BitBlt API.
[1]
|
|
|
|
|
|
|
A Technique detection named "Data from Local System" was generated when explorer.exe read C:\Users\jsmith\AppData\Local\Temp\klog2.txt over 192.168.0.4.
[1]
[2]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when explorer.exe downloaded infosMin48.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Credentials from Web Browsers" was generated when infosMin48.exe loaded vaultcli.dll.
[1]
[2]
|
|
|
|
|
A Technique detection named "File Deletion" (Medium) was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when explorer.exe downloaded tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote File Copy" was generated when explorer.exe downloaded vnc-settings.reg from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Disabling Security Tools" (Medium) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Registry Run Keys / Startup Folder" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
A Technique detection named "Modify Registry" (Low) was generated when subkeys added to HKLM\Software\TightVNC\Server via vnc-settings.reg.
[1]
[2]
[3]
|
|
|
|
|
|
|
A Technique detection named "Modify Registry" (Low) was generated when the Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Access Tools" was generated when tvnserver.exe began listening on TCP port 5900.
[1]
|
|