Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "User opened Office application" (Warning) was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
[2]
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
A Technique detection named "Script started from TEMP" (Warning) was generated when wscript.exe spawned unprotected.vbe.
[1]
[2]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Saving script file from Office suite" (Warning) was generated when winword.exe saved unprotected.vbe to disk.
[1]
[2]
|
|
A Technique detection named "MS Office app has invoked script interpreter" (Warning) was generated when a script interpreter (wscript.exe) was spawned by an MS Office application (winword.exe).
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Wscript executed a process" (Warning) was generated when wscript.exe executed a suspicious process as a result of executing starter.vbs.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious script interpreter started - cmd" (Warning) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Suspicious script interpreter started - Microsoft Office" (Warning) was generated when a script interpreter (wscript.exe) was spawned with an ancestor MS Office application (winword.exe) when it executed TransBaseOdbcDriver.js.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Script interpreter queried system information via WMI" (Information) was generated when wscript.exe made a WMI query for Win32_OperatingSystem.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Script interpreter queried processes information via WMI" (Information) was generated when wscript.exe made a WMI query for Win32_Process.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious script interpreter started - cmd" (Warning) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Cmd.exe executed PowerShell" (Information) was generated when cmd.exe spawned powershell.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Suspicious PowerShell script - Screen/Keystroke/Window Capture" (Warning) was generated when a PowerShell script (screenshot__.ps1) contained a call to CopyFromScreen().
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Suspicious script interpreter started - cmd" (Warning) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "Medium-size Registry value set" (Information) was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious script interpreter started - cmd" (Warning) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Suspicious script interpreter process tree - Microsoft Office" (Warning) was generated when a script interpreter (powershell.exe) was spawned with an ancestor MS Office application (winword.exe).
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Cmd.exe executed PowerShell" (Information) was generated when cmd.exe spawned powershell.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Query registry via PowerShell" (Information) was generated when powershell.exe read HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty.
[1]
|
|
|
|
|
|
|
|
|
|
A General detection named "PowerShell/Rozena.BI" (Threat) was generated when shellcode was detected in the memory of the powershell.exe process.
[1]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious PowerShell script - CreateThread API" (Warning) was generated when powershell.exe executed the shellcode from the Registry by calling the CreateThread() API.
[1]
[2]
|
|
|
|
|
A General detection named "Win32/RiskWare.Meterpreter.A" (Threat) was generated when powershell.exe network traffic was identified as Meterpreter.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "PowerShell/RiskWare.PowerSploit.D" (Threat) was generated when PowerSploit malware was identified.
[1]
|
|
|
|
A Tactic detection named "PowerView cmdlet in AMSI" (Warning) was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
|
|
|
A General detection named "PowerShell/RiskWare.PowerSploit.D" (Threat) was generated when PowerSploit malware was identified.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "smrs.exe" (Threat) was generated when smrs.exe was flagged as a threat for low popularity.
[1]
|
|
A General detection named "PowerShell has dropped a suspicious executable" (Warning) was generated when powershell.exe dropped smrs.exe from a remote source.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Possible UAC bypass" (Warning) was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "UAC bypass registry modifications" (Warning) was generated when powershell.exe modified a Registry value to facilitate UAC bypass.
[1]
[2]
|
|
|
|
|
|
|
|
A Technique detection named "Potential Credential Dumping - Mimikatz" (Warning) was generated when smrs.exe accessed lsass.exe in a similar way to Mimikatz.
[1]
[2]
[3]
|
|
A General detection named "Win64/Riskware.Mimikatz.D" (Threat) was generated when smrs.exe was detected as Mimikatz.
[1]
|
|
A General detection named "Unpopular process has started from AppData\ProgramData" (Information) was generated when smrs.exe was launched from AppData\ProgramData.
[1]
[2]
|
|
|
|
A Technique detection named "Potential Credential Dumping - Generic" (Warning) was generated when smrs.exe accessed lsass.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious script interpreted started - cmd" (Warning) was generated when powershell.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A General detection named "Win32/RiskWare.RemoteAdmin.Remote.Exec.AC" (Threat) was generated when the service executable in C:\Windows\ was detected as remote execution malware.
[1]
|
|
A Technique detection named "Suspicious service executed" (Warning) was generated when cmd.exe spawned from a service executable in C:\Windows\.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Win64/RiskWare.Meterpreter.K" (Threat) was generated when tiny.exe was detected as Meterpreter.
[1]
|
|
A General detection named "Win32/RiskWare.Meterpreter.A" (Threat) was generated when network traffic from tiny.exe was detected as Meterpreter.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell engine dll loaded in non-PowerShell process" (Warning) was generated when a PowerShell engine DLL (system.management.automation.dll) was loaded by tiny.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Remote system discovery via PowerShell" (Information) was generated when PowerShell executed Get-ADComputer.
[1]
[2]
|
|
|
|
|
A General detection named "PowerShell/RiskWare.PowerSploit.D" (Threat) was generated when PowerSploit malware was identified.
[1]
|
|
|
|
A Technique detection named "PowerView cmdlet name in AMSI" (Warning) was generated when a PowerView cmdlet (Get-NetUser) was identified in memory.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command prompt with unpopular parent process" (Information) was generated when cmd.exe was spawned from an unpopular parent process tiny.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Process communication over potentially Suspicious protocol - detected SSH communication" (Warning) was generated when plink.exe exchanged data with 192.168.0.4 over SSH protocol.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Remote user login" (Information) was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Process communicating over potentially Suspicious Protocol - detected RDP communication" (Information) was generated when an RDP session was created from localhost over port 3389.
[1]
[2]
|
|
|
|
|
A Technique detection named "System Owner/User Discovery" (Information) was generated when powershell.exe executed qwinsta /server:cfo.
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "Remote user login" (Information) was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
[2]
|
|
|
|
|
A Technique detection named "Process communicating over potentially Suspicious Protocol - detected RDP communication" (Warning) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
[2]
|
|
|
|
|
|
|
A General detection named "Win64/Riskware.Meterpreter.B" (Threat) was generated when Java-Update.exe was identified as Meterpreter.
[1]
|
|
|
|
A Tactic detection named "Process communicating over potentially Suspicious Protocol - detected SSH communication" (Warning) was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Common AutoStart registry modified by reg.exe" (Information) was generated when reg.exe was used to modify a common Autostart Registry key.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Wscript.exe executed a process" (Warning) was generated when wscript.exe spawned Java-Update.exe.
[1]
[2]
|
|
|
|
A Technique detection named "Explorer.exe executed script process" (Warning) was generated when explorer.exe spawned wscript.exe, which spawned Java-Update.exe.
[1]
[2]
|
|
|
|
|
A General detection named "Win32/RiskWare.Meterpreter.M" (Threat) was generated when Java-Update.exe network traffic was identified as Meterpreter.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Protocol Mismatch - SSL communication, non-standard port, unpopular process" (Warning) was generated when Java-Update.exe exchanged data with 192.168.0.4 over SSL on port 80.
[1]
[2]
|
|
|
|
|
A General detection named "Suspicious executable with .exe extension was dropped" (Warning) was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "Injection from unpopular process" (Warning) was generated when an unpopular process (Java-Update.exe) injected into explorer.exe with CreateRemoteThread.
[1]
[2]
|
|
A Technique detection named "Injection into trusted process" (Warning) was generated when Java-Update.exe injected into a trusted process (explorer.exe) with CreateRemoteThread.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A Technique detection named "Potential credentials theft from Windows Credential Vault" (Warning) was generated when infosMin48.exe loaded vaultcli.dll.
[1]
[2]
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
A Technique detection named "File deletion via PowerShell" (Information) was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\ via Remove-Item.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Netsh firewall rules manipulation" (Information) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Common AutoStart registry modified by Ultra/Real/Tight VNC application" (Warning) was generated when a VNC application (tvnserver.exe) modified an AutoStart Registry key.
[1]
[2]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Reg.exe imported registry changes" (Information) was generated when subkeys added to HKLM\Software\TightVNC\Server via vnc-settings.reg.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "VNC (Ultra/Real/Tight) application started" (Warning) was generated when tvnserver.exe began listening for connections.
[1]
[2]
|
|
|
|
A Technique detection named "VNC connection from internal IP range" (Warning) was generated when tvnserver.exe accepted a connection from 192.168.0.4 over TCP port 5900.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Process communicating over potentially Suspicious Protocol - detected VNC communication" (Warning) was generated when tvnserver.exe accepted a VNC connection from 192.168.0.4 over TCP port 5900.
[1]
[2]
|
|