Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "User Execution, T1204" was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Inter-Process Communication: Component Object Model, T1559.001" was generated when winword.exe loaded VBE7.DLL and spawned 1-list.rtf.
[1]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Visual Basic, T1059.005" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Tactic detection named "Suspicious Script Execution" (Malicious) was generated when wscript.exe spawned unprotected.vbe.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Visual Basic" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
A General detection named "Suspicious Script Execution" (Malicious) was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
A Tactic detection named "Suspicious Script Execution" (malicious) was generated when wscript.exe spawning cmd.exe via the execution of a suspicious script.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
A Technique detection named "Suspicious Script Execution" (malicious) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Powershell, T1059.001" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
A Tactic detection named "Suspicious Script Execution" (malicious) was generated when cmd.exe spawned powershell.exe and marked it as malicious.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interface: Windows Command Shell, T1059.003" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry, T1112" was generated when cmd.exe spawned reg.exe to modify the registry.
[1]
|
|
|
|
A General detection (Malicious) was generated when cmd.exe spawned reg.exe to modify the registry.
[1]
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell " was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Powershell, T1059.001" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
Telemetry
(Configuration Change)
|
|
|
|
|
|
A General detection (malicious) was generated when powershell.exe decrypted, decompressed, and base64 decoded the Registry value into plaintext shellcode.
[1]
|
|
|
|
|
A General detection (malicious) was generated when powershell.exe executed shellcode by creating a thread.
[1]
[2]
|
|
|
|
|
|
|
A General detection (malicious) was generated when powershell.exe connected to 192.168.0.4.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Create Unmapped Executable" (Malicious) was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Create Unmapped Executable" (Malicious) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Powershell, T1059.001" was generated when powershell.exe executed rad353F7.ps1.
[1]
[2]
|
|
A Tactic detection named "Suspicious Script Execution" (Malicious) was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry, T1112" was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
|
|
|
|
A General detection (Malicious) was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
|
|
|
|
|
|
|
A General detection named "File Execution Attempt" (malicious) was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
A Tactic detection named "Credential Access" (Malicious) was generated when smrs.exe opened and read lsass.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
A Tactic detection named "Suspicious Script Execution" (Malicious) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A General detection named "File Execution Attempt" (malicious) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A General detection named "In Memory Execution" (malicious) was generated when tiny.exe loaded shellcode into memory.
[1]
|
|
|
|
|
A Technique detection named "Command and Scripting Interface: Powershell, T1059.00" was generated when tiny.exe loaded system.management.automation.ni.dll.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Windows Command Shell, T1059.003" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote Services: Remote Desktop Protocol, T1201.001" was generated when an RDP session was established from the localhost over TCP port 3389.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote Services: Remote Desktop Protocol, T1021.001" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Command and Scripting Interpreter: Visual Basic, T1059.005" was generated when wscript.exe spawned Java-Update.exe and loaded vbscript.dll.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Create Unmapped Executable" was generated when Java-Update.exe connected to 192.168.0.4 and created DefenderUpgradeExec.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Injected Thread" (malicious) was generated when Java-Update.exe injected into explorer.exe via thread creation.
[1]
[2]
[3]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Create Unmapped Executable" (Malicious) was generated when explorer.exe downloaded infosMin48.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Indicator Removal on Host: File Deletion, T1070" was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
A Technique detection named "File Delete Attempt" (Malicious) was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Boot of Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|