2.A.4
Procedure:
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe executing Compress-Archive
Detections:
2.A.5
Procedure:
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe creating the file draft.zip
Detections:
7.B.2
Procedure:
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria:
powershell.exe creating the file OfficeSupplies.7z
Detections:
7.B.3
Procedure:
Encrypted data from the user's Downloads directory using PowerShell
Criteria:
powershell.exe executing Compress-7Zip with the password argument used for encryption
Detections:
9.B.6
Procedure:
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Detections:
9.B.7
Procedure:
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe
Detections:
17.C.1
Procedure:
Compressed a staging directory using PowerShell
Criteria:
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
Detections:
20.B.4
Criteria:
7za.exe creates C:\Users\Public\log.7z
Detections:
2.A.2
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
9.B.3
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
7.A.2
Procedure:
Captured clipboard contents using PowerShell
Criteria:
powershell.exe executing Get-Clipboard
Detections:
9.B.5
Procedure:
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria:
powershell.exe creating the file working.zip
Detections:
17.B.2
Procedure:
Staged collected file into directory using PowerShell
Criteria:
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Detections:
2.A.3
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
7.B.1
Procedure:
Read data in the user's Downloads directory using PowerShell
Criteria:
powershell.exe reading files in C:\Users\pam\Downloads\
Detections:
9.B.4
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
17.B.1
Procedure:
Read and collected a local file using PowerShell
Criteria:
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Detections:
5.B.5
Criteria:
User kmitnick reads network-diagram-financial.xml via cat
Detections:
5.B.6
Criteria:
User kmitnick reads help-desk-ticket.txt via cat
Detections:
9.A.5
Criteria:
explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4
Detections:
17.A.1
Procedure:
Dumped messages from the local Outlook inbox using PowerShell
Criteria:
outlook.exe spawning from svchost.exe or powershell.exe
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
7.A.1
Procedure:
Captured and saved screenshots using PowerShell
Criteria:
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Detections:
2.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
9.A.4
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
13.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
18.A.2
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
7.A.3
Criteria:
plink.exe transmits data to 192.168.0.4 over SSH protocol
Detections:
12.A.3
Criteria:
Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions
Detections:
3.B.4
Procedure:
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is HTTPS
Detections:
11.A.14
Procedure:
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria:
Established network channel over the HTTPS protocol
Detections:
1.A.10
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.2
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.6
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.8
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.5
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.3
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
3.B.3
Procedure:
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria:
Established network channel over port 443
Detections:
11.A.13
Procedure:
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria:
Established network channel over port 443
Detections:
3.B.5
Procedure:
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
11.A.15
Procedure:
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
1.A.11
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.3
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.9
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.6
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.4
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
1.A.4
Procedure:
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
3.A.1
Procedure:
Dropped stage 2 payload (monkey.png) to disk
Criteria:
The rcs.3aka3.doc process creating the file monkey.png
Detections:
4.A.1
Procedure:
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria:
powershell.exe creating the file SysinternalsSuite.zip
Detections:
8.B.1
Procedure:
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria:
The file python.exe created on Scranton (10.0.1.4)
Detections:
9.A.1
Procedure:
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file rar.exe
Detections:
9.A.2
Procedure:
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file sdelete64.exe
Detections:
14.B.3
Procedure:
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria:
powershell.exe downloading and/or the file write of m.exe
Detections:
2.B.1
Criteria:
wscript.exe downloads screenshot__.ps1 from 192.168.0.4
Detections:
3.B.1
Criteria:
wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4
Detections:
4.B.1
Criteria:
powershell.exe downloads rad353F7.ps1 from 192.168.0.4
Detections:
4.B.2
Criteria:
powershell.exe downloads smrs.exe from 192.168.0.4
Detections:
5.A.1
Criteria:
powershell.exe downloads pscp.exe from 192.168.0.4
Detections:
5.A.2
Criteria:
powershell.exe downloads psexec.py from 192.168.0.4
Detections:
5.A.3
Criteria:
powershell.exe downloads runtime from 192.168.0.4
Detections:
5.A.4
Criteria:
powershell.exe downloads plink.exe from 192.168.0.4
Detections:
5.A.5
Criteria:
powershell.exe downloads tiny.exe from 192.168.0.4
Detections:
7.A.1
Criteria:
tiny.exe downloads plink.exe from 192.168.0.4
Detections:
7.C.1
Criteria:
scp.exe downloads Java-Update.exe from 192.168.0.4
Detections:
7.C.3
Criteria:
cmd.exe downloads Java-Update.vbs from 192.168.0.4
Detections:
9.A.1
Criteria:
Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4
Detections:
9.B.1
Criteria:
explorer.exe downloads infosMin48.exe from 192.168.0.4
Detections:
10.A.1
Criteria:
explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4
Detections:
10.A.2
Criteria:
explorer.exe downloads vnc-settings.reg from 192.168.0.4
Detections:
12.B.1
Criteria:
Adb156.exe downloads stager.ps1 from 192.168.0.6
Detections:
13.B.1
Criteria:
Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions
Detections:
15.A.2
Criteria:
powershell.exe downloads samcat.exe from 192.168.0.4
Detections:
15.A.3
Criteria:
powershell.exe downloads uac-samcats.ps1 from 192.168.0.4
Detections:
16.A.1
Criteria:
powershell.exe downloads paexec.exe from 192.168.0.4
Detections:
16.A.2
Criteria:
powershell.exe downloads hollow.exe from 192.168.0.4
Detections:
17.A.1
Criteria:
svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)
Detections:
19.B.3
Criteria:
powershell.exe downloads dll329.dll from 192.168.0.4
Detections:
19.B.4
Criteria:
powershell.exe downloads sdbE376.tmp from 192.168.0.4
Detections:
20.B.1
Criteria:
rundll32.exe downloads debug.exe from 192.168.0.4
Detections:
20.B.3
Criteria:
rundll32.exe downloads 7za.exe from 192.168.0.4
Detections:
1.A.3
Procedure:
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria:
Established network channel over port 1234
Detections:
3.B.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over TCP
Detections:
19.A.3
Criteria:
itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure
Detections:
10.B.1
Criteria:
tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900
Detections:
18.A.1
Procedure:
Mapped a network drive to an online OneDrive account using PowerShell
Criteria:
net.exe with command-line arguments then making a network connection to a public IP over port 443
Detections:
4.A.3
Criteria:
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
Detections:
6.A.2
Procedure:
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria:
accesschk.exe executing the CryptUnprotectedData API
Detections:
9.B.2
Criteria:
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
14.B.4
Procedure:
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
16.D.2
Procedure:
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
4.B.7
Criteria:
smrs.exe opens and reads lsass.exe
Detections:
15.A.6
Criteria:
samcat.exe opens and reads the SAM via LSASS
Detections:
6.C.1
Procedure:
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria:
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Detections:
6.A.1
Procedure:
Read the Chrome SQL database file to extract encrypted credentials
Criteria:
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Detections:
6.B.1
Procedure:
Exported a local certificate to a PFX file using PowerShell
Criteria:
powershell.exe creating a certificate file exported from the system
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
4.A.3
Procedure:
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
Criteria:
powershell.exe executing Expand-Archive
Detections:
11.A.10
Procedure:
Decoded an embedded DLL payload to disk using certutil.exe
Criteria:
certutil.exe decoding kxwn.lock
Detections:
14.B.6
Procedure:
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria:
powershell.exe executing Get-WmiInstance
Detections:
1.A.5
Criteria:
wscript.exe decodes content and creates starter.vbs
Detections:
1.A.6
Criteria:
wscript.exe decodes content and creates TransBaseOdbcDriver.js
Detections:
3.B.5
Criteria:
powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode
Detections:
5.C.6
Criteria:
tiny.exe loads shellcode from network connection into memory
Detections:
11.A.5
Criteria:
mshta.exe assembles text embedded within 2-list.rtf into a JS payload
Detections:
14.A.3
Criteria:
powershell.exe decodes an embedded DLL payload
Detections:
14.A.5
Criteria:
powershell.exe loads shellcode from network connection into memory
Detections:
11.A.2
Procedure:
Executed an alternate data stream (ADS) using PowerShell
Criteria:
powershell.exe executing the schemas ADS via Get-Content and IEX
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
10.A.3
Criteria:
netsh adds Service Host rule for TCP port 5900
Detections:
4.B.2
Procedure:
Deleted rcs.3aka3.doc on disk using SDelete
Criteria:
sdelete64.exe deleting the file rcs.3aka3.doc
Detections:
4.B.3
Procedure:
Deleted Draft.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file draft.zip
Detections:
4.B.4
Procedure:
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file SysinternalsSuite.zip
Detections:
9.C.1
Procedure:
Deleted rar.exe on disk using SDelete
Criteria:
sdelete64.exe deleting the file rar.exe
Detections:
9.C.2
Procedure:
Deleted working.zip (from Desktop) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \Desktop\working.zip
Detections:
9.C.3
Procedure:
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Detections:
9.C.4
Procedure:
Deleted SDelete on disk using cmd.exe del command
Criteria:
cmd.exe deleting the file sdelete64.exe
Detections:
9.B.3
Criteria:
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
Detections:
12.A.2
Procedure:
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria:
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Detections:
6.A.3
Procedure:
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria:
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Detections:
17.A.2
Criteria:
srrstr.dll is not the legitimate Windows System Protection Configuration Library
Detections:
11.A.6
Criteria:
mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe
Detections:
1.A.2
Procedure:
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria:
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Detections:
3.C.1
Procedure:
Modified the Registry to remove artifacts of COM hijacking
Criteria:
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
14.A.3
Procedure:
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria:
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
3.A.2
Criteria:
cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer
Detections:
4.B.4
Criteria:
powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty
Detections:
10.A.5
Criteria:
Addition of subkeys in HKLM\Software\TightVNC\Server
Detections:
10.A.6
Criteria:
Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
14.B.5
Procedure:
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria:
powershell.exe executing Set-WmiInstance
Detections:
17.C.2
Procedure:
Prepended the GIF file header to a compressed staging file using PowerShell
Criteria:
powershell.exe executing Set-Content
Detections:
1.A.4
Criteria:
unprotected.vbe is an encoded file
Detections:
3.A.3
Criteria:
Value added to Registry is base64 encoded
Detections:
11.A.2
Criteria:
2-list.rtf contains an embedded lnk payload that is dropped to disk
Detections:
19.B.2
Criteria:
powershell.exe executes base64 encoded commands
Detections:
8.B.2
Procedure:
python.exe payload was packed with UPX
Criteria:
Evidence that the file python.exe is packed
Detections:
3.A.2
Procedure:
Embedded PowerShell payload in monkey.png using steganography
Criteria:
Evidence that a PowerShell payload was within monkey.png
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
11.A.3
Criteria:
winword.exe spawns mshta.exe
Detections:
20.A.1
Procedure:
Executed Run key persistence payload on user login using RunDll32
Criteria:
rundll32.exe executing kxwn.lock
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
6.A.3
Criteria:
PowerShell executes Get-NetUser
Detections:
2.A.1
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
4.C.1
Procedure:
Enumerated user's temporary directory path using PowerShell
Criteria:
powershell.exe executing $env:TEMP
Detections:
9.B.2
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
11.A.9
Procedure:
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria:
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Detections:
12.A.1
Procedure:
Enumerated the System32 directory using PowerShell
Criteria:
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Detections:
4.A.1
Criteria:
powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs
Detections:
5.B.4
Criteria:
User kmitnick executes ls -lsahR /var/
Detections:
7.C.2
Criteria:
dir lists the contents of C:\Users\Public
Detections:
13.A.3
Criteria:
cmd.exe executes net view
Detections:
11.A.5
Procedure:
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Detections:
4.C.9
Procedure:
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria:
powershell.exe executing the NetUserGetGroups API
Detections:
4.C.11
Procedure:
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria:
powershell.exe executing the NetUserGetLocalGroups API
Detections:
4.B.1
Procedure:
Enumerated current running processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
4.C.5
Procedure:
Enumerated the current process ID using PowerShell
Criteria:
powershell.exe executing $PID
Detections:
8.A.3
Procedure:
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
11.A.8
Procedure:
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_Process
Detections:
13.D.1
Procedure:
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria:
powershell.exe executing the CreateToolhelp32Snapshot API
Detections:
14.B.2
Procedure:
Enumerated and tracked PowerShell processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
2.A.4
Criteria:
wscript.exe makes a WMI query for Win32_Process
Detections:
5.B.3
Criteria:
User kmitnick executes ps ax
Detections:
13.A.1
Criteria:
Adb156.exe makes a WMI query for Win32_Process
Detections:
15.A.1
Criteria:
powershell.exe calls the CreateToolhelp32Snapshot() API
Detections:
20.B.2
Criteria:
debug.exe calls the CreateToolhelp32Snapshot API
Detections:
12.C.1
Procedure:
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
12.C.2
Procedure:
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
3.B.4
Criteria:
powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty
Detections:
8.A.1
Procedure:
Enumerated remote systems using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Detections:
16.A.1
Procedure:
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Detections:
4.A.2
Criteria:
powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4
Detections:
5.B.7
Criteria:
User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)
Detections:
6.A.2
Criteria:
PowerShell executes Get-ADComputer
Detections:
15.A.8
Criteria:
powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)
Detections:
4.C.7
Procedure:
Enumerated anti-virus software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Detections:
4.C.8
Procedure:
Enumerated firewall software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Detections:
12.B.1
Procedure:
Enumerated registered AV products using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Detections:
4.C.3
Procedure:
Enumerated the computer hostname using PowerShell
Criteria:
powershell.exe executing $env:COMPUTERNAME
Detections:
4.C.6
Procedure:
Enumerated the OS version using PowerShell
Criteria:
powershell.exe executing Gwmi Win32_OperatingSystem
Detections:
11.A.4
Procedure:
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Detections:
13.A.1
Procedure:
Enumerated the computer name using the GetComputerNameEx API
Criteria:
powershell.exe executing the GetComputerNameEx API
Detections:
2.A.2
Criteria:
wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem
Detections:
12.A.5
Criteria:
Adb156.exe makes a WMI query for Win32_LogicalDisk
Detections:
13.A.6
Criteria:
Adb156.exe queries the COMPUTERNAME environment variable
Detections:
13.A.9
Criteria:
Adb156.exe makes a WMI query for Win32_OperatingSystem
Detections:
4.C.4
Procedure:
Enumerated the current domain name using PowerShell
Criteria:
powershell.exe executing $env:USERDOMAIN
Detections:
11.A.7
Procedure:
Checked that the computer is joined to a domain using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.B.1
Procedure:
Enumerated the domain name using the NetWkstaGetInfo API
Criteria:
powershell.exe executing the NetWkstaGetInfo API
Detections:
12.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration
Detections:
13.A.8
Criteria:
Adb156.exe makes a WMI query for Win32_ComputerSystem
Detections:
15.A.7
Criteria:
powershell.exe calls the GetIpNetTable() API
Detections:
4.C.2
Procedure:
Enumerated the current username using PowerShell
Criteria:
powershell.exe executing $env:USERNAME
Detections:
11.A.6
Procedure:
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.C.1
Procedure:
Enumerated the current username using the GetUserNameEx API
Criteria:
powershell.exe executing the GetUserNameEx API
Detections:
15.A.1
Procedure:
Enumerated logged on users using PowerShell
Criteria:
powershell.exe executing $env:UserName
Detections:
16.B.1
Procedure:
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria:
powershell.exe executing the ConvertSidToStringSid API
Detections:
7.B.1
Criteria:
powershell.exe executes qwinsta /server:cfo
Detections:
13.A.5
Criteria:
Adb156.exe queries the USERNAME environment variable
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
1.A.9
Criteria:
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
Detections:
12.A.2
Criteria:
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
Detections:
1.B.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from cmd.exe
Detections:
4.A.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from powershell.exe
Detections:
9.B.1
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from python.exe
Detections:
11.A.12
Procedure:
Executed PowerShell stager payload
Criteria:
powershell.exe spawning from from the schemas ADS (powershell.exe)
Detections:
20.A.3
Procedure:
Executed PowerShell payload from WMI event subscription persistence
Criteria:
SYSTEM-level powershell.exe spawned from the powershell.exe
Detections:
2.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
3.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
4.B.3
Criteria:
powershell.exe executes rad353F7.ps1
Detections:
6.A.1
Criteria:
tiny.exe loads system.management.automation.dll
Detections:
13.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.2
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.4
Criteria:
powershell.exe executes the decoded payload using Invoke-Expression (IEX)
Detections:
15.A.4
Criteria:
powershell.exe spawns powershell.exe
Detections:
19.B.1
Criteria:
powershell.exe spawns powershell.exe
Detections:
1.A.3
Criteria:
wscript.exe executes unprotected.vbe
Detections:
1.A.7
Criteria:
wscript.exe executes starter.vbs
Detections:
8.A.1
Criteria:
wscript.exe spawns Java-Update.exe
Detections:
11.A.4
Criteria:
mshta.exe executes an embedded VBScript payload
Detections:
1.B.1
Procedure:
Spawned interactive cmd.exe
Criteria:
cmd.exe spawning from the rcs.3aka3.doc process
Detections:
1.A.8
Criteria:
wscript.exe spawns cmd.exe
Detections:
2.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.A.1
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
4.B.6
Criteria:
cmd.exe spawns smrs.exe
Detections:
5.A.6
Criteria:
powershell.exe spawns cmd.exe
Detections:
5.C.5
Criteria:
cmd.exe spawns tiny.exe
Detections:
7.A.2
Criteria:
tiny.exe spawns cmd.exe
Detections:
13.A.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
13.B.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
14.A.1
Criteria:
Adb156.exe spawns cmd.exe
Detections:
16.A.3
Criteria:
powershell.exe spawns cmd.exe
Detections:
17.A.3
Criteria:
svchost.exe spawns cmd.exe
Detections:
1.A.2
Criteria:
winword.exe loads VBE7.DLL
Detections:
11.A.7
Criteria:
winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL
Detections:
4.C.10
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Detections:
4.C.12
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Detections:
10.B.2
Procedure:
Executed PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe executing the CreateProcessWithToken API
Detections:
16.B.2
Procedure:
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria:
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Detections:
3.B.6
Criteria:
powershell.exe executes the shellcode from the Registry by calling the CreateThread() API
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
8.C.3
Procedure:
Executed python.exe using PSExec
Criteria:
python.exe spawned by PSEXESVC.exe
Detections:
10.A.1
Procedure:
Executed persistent service (javamtsup) on system startup
Criteria:
javamtsup.exe spawning from services.exe
Detections:
5.C.3
Criteria:
cmd.exe spawns from a service executable in C:\Windows\
Detections:
16.A.6
Criteria:
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
Detections:
1.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 1-list.rtf
Detections:
11.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 2-list.rtf
Detections:
1.A.1
Procedure:
User Pam executed payload rcs.3aka3.doc
Criteria:
The rcs.3aka3.doc process spawning from explorer.exe
Detections:
11.A.1
Procedure:
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
Criteria:
powershell.exe spawning from explorer.exe
Detections:
14.B.1
Procedure:
Created and executed a WMI class using PowerShell
Criteria:
WMI Process (WmiPrvSE.exe) executing powershell.exe
Detections:
7.B.4
Procedure:
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria:
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Detections:
2.B.1
Procedure:
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria:
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Detections:
9.B.8
Procedure:
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria:
python.exe reading the file working.zip while connected to the C2 channel
Detections:
2.B.5
Criteria:
wscript.exe reads and uploads screenshot__.png to 192.168.0.4
Detections:
13.B.5
Criteria:
Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions
Detections:
20.B.5
Criteria:
rundll32.exe reads and uploads log.7z to 192.168.0.4
Detections:
18.A.2
Procedure:
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria:
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
16.D.1
Procedure:
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria:
File write of m.exe by the WinRM process (wsmprovhost.exe)
Detections:
5.A.9
Criteria:
Pscp.exe copies psexec.py to 10.0.0.7
Detections:
5.A.10
Criteria:
Pscp.exe copies runtime to 10.0.0.7
Detections:
5.A.11
Criteria:
Pscp.exe copies tiny.exe to 10.0.0.7
Detections:
5.C.4
Criteria:
tiny.exe is created on 10.0.0.4
Detections:
7.A.5
Criteria:
RDP session from the localhost over TCP port 3389
Detections:
7.B.3
Criteria:
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
Detections:
19.A.2
Criteria:
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
Detections:
8.C.2
Procedure:
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria:
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Detections:
5.C.2
Criteria:
psexec.py connects to SMB shares on 10.0.0.4
Detections:
16.A.5
Criteria:
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
Detections:
5.A.7
Criteria:
Pscp.exe connects over SCP (port 22) to 10.0.0.7
Detections:
5.B.1
Criteria:
plink.exe connects over SSH (port 22) to 10.0.0.7
Detections:
8.A.2
Procedure:
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
16.C.1
Procedure:
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Criteria:
Network connection to NewYork (10.0.0.4) over port 5985
Detections:
20.B.2
Procedure:
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
20.B.3
Procedure:
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
Criteria:
net.exe adding the user Toby
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections: