Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Any office application launching a non-office and non-browser process" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
A Technique detection named "Wscript processes" was generated when wscript.exe executed unprotected.vbe.
[1]
|
|
A General detection named "Office launching processes" was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Wscript processes" was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Wscript processes" was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "PowerShell block logging events" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Listing screen captures in powershell" was generated when powershell.exe executed CopyFromScreen().
[1]
[2]
[3]
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "PowerShell block logging events" was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "PowerShell block logging event" was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Abuse Elevation Control Mechanism: Bypass User Access Control" was generated when PowerShell modified the Registry.
[1]
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when fodhelper.exe lauched cmd.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
|
No sensor was deployed on the system to capture activity which would have been required to satisfy the detection criteria of the technique under test.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A Tactic detection named "Find the current user in Powershell" was generated when PowerShell executed Get-NetUser.
[1]
[2]
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command shell processes" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "RDP network connections" was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Adding a run key using reg.exe" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
A Technique detection named "Wscript processes" was generated when wscript.exe ran with command line arguments to run Java-Update.vbs.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Firewall rules change deteted in the registry" was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
|
|
|
|
|
|
|
A Technique detection named "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|