Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A General detection named "Possible Spearphishing Attachment on Office Document" (High) was generated when wscript.exe executed underneath an Office application (winword.exe).
[1]
|
|
A General detection named "Possible Macro Embedded on Office Document" (High) was generated when wscript.exe executed underneath an Office application (winword.exe), which indicated a malicious macro.
[1]
|
|
A General detection named "Suspicious Process Launched By User" (High) was generated when a suspicious process (wscript.exe) was launched from a Microsoft Office application (winword.exe).
[1]
|
|
A Technique detection named "Script Executed" (High) was generated when wscript.exe executed unprotected.vbe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "Suspicious File Created" (High) was generated when wscript.exe created starter.vbs.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Script Executed" was generated when wscript.exe executed TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "New Powershell Session" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Possible Screen Capture by Powershell" (High) was generated when strings indicated PowerShell executed functions associated with Screen Capture.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Registry Modified by Reg.exe" (Medium) was generated when cmd.exe spawned reg.exe to add a value to the Registry key.
[1]
[2]
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when wscript.exe created LanCradDriver.ps1.
[1]
[2]
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious PowerShell" (High) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Possible Process Injection by PowerShell" (High) was generated when strings indicated PowerShell executed VirtualAlloc and CreateThread.
[1]
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Login after Work Hour" (Medium) was generated when powershell.exe successfully logged in to host 10.0.0.4 or 10.0.0.5 as user kmitnick.
[1]
[2]
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "New PowerShell Session" (Medium) was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
A Technique detection named "Registry Modified Using PowerShell" (Low) was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when cmd.exe executed smrs.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Possible Credential Dumping" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
[2]
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when powershell.exe created pscp.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when powershell.exe created plink.exe.
[1]
|
|
|
|
|
A Technique detection named "Suspcious File Created" (High) was generated when powershell.exe created tiny.exe.
[1]
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Possible Remote Services Detected" (Medium) was generated when pscp.exe connected over port 22 to 10.0.0.7.
[1]
|
|
|
|
|
A Technique detection named "Login after Work Hour" (Medium) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
A Technique detection named "Possible Remote File Copy from Command Line" (High) was generated when pscp.exe command-line parameters indicated psexec.py was being copied to a remote machine (10.0.0.7).
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Possible Remote Service Detected" (Medium) was generated when plink.exe connected over port 22 to 10.0.0.7.
[1]
|
|
|
|
|
A Technique detection named "Login after Work Hour" (Medium) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
A Technique detection named "System Process Discovery" (Medium) was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious Remote Discovery Commands Entered on Linux" (Low) was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
[2]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Pass the Hash" (High) was generated when kmitnick logged on to bankdc (10.0.0.4) using NTLM authentication.
[1]
|
|
|
|
|
A Technique detection named "Windows Admin Share Accessed " (Medium) was generated when a Windows admin share was accessed on bankdc (10.0.0.4).
[1]
[2]
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when tiny.exe was created on 10.0.0.4.
[1]
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when cmd.exe spawned tiny.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "AD Object Permission Enumerated" (Low) was generated when PowerShell executed Get-ADComputer.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when tiny.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "New Command-Line Session" (Medium) was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Login after Work Hour" (Medium) was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
A Technique detection named "Possible System Owner Discovery" (Medium) was generated when powershell.exe executed qwinsta /server:cfo.
[1]
|
|
|
|
|
A Technique detection named "Login after Work Hour" (Medium) was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious Remote Desktop Protocol" (Medium) was generated when an RDP session was created from bankdc (10.0.0.4) to cfo (10.0.0.5) over port 3389.
[1]
|
|
|
|
|
A Technique detection named "Suspicious File Create" (High) was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when cmd.exe downloaded Java-Update.vbs from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Windows Registry Run Keys and Startup Folder" (High) was generated when the Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Suspicious File Created" was generated when Java-Update.exe created DefenderUpgradeExec.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Possible Process Injection" (Medium) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious File Created" (High) was generated when explorer.exe created infosMin48.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Registry Modified by Reg.exe" (Medium) was generated when the Java-Update subkey at HKLM\Software\Microsoft\Windows\CurrentVersion\Run was deleted.
[1]
|
|
|
|
|