Home >
Enterprise >
Participants >
Bitdefender >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed elevated PowerShell payload
Criteria
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated user's temporary directory path using PowerShell
Criteria
powershell.exe executing $env:TEMP
Procedure
Enumerated the current username using PowerShell
Criteria
powershell.exe executing $env:USERNAME
Procedure
Enumerated the computer hostname using PowerShell
Criteria
powershell.exe executing $env:COMPUTERNAME
Procedure
Enumerated the current domain name using PowerShell
Criteria
powershell.exe executing $env:USERDOMAIN
Procedure
Enumerated the OS version using PowerShell
Criteria
powershell.exe executing Gwmi Win32_OperatingSystem
Procedure
Enumerated anti-virus software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Enumerated firewall software using PowerShell
Criteria
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Procedure
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria
powershell.exe executing the NetUserGetGroups API
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria
powershell.exe executing the NetUserGetLocalGroups API
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria
powershell.exe creating the Javamtsup service
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria
powershell.exe creating the file OfficeSupplies.7z
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Encrypted data from the user's Downloads directory using PowerShell
Criteria
powershell.exe executing Compress-7Zip with the password argument used for encryption
Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated remote systems using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria
Successful logon as user Pam on Scranton (10.0.1.4)
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Footnotes
- The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Deleted SDelete on disk using cmd.exe del command
Criteria
cmd.exe deleting the file sdelete64.exe
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_Process
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Established Registry Run key persistence using PowerShell
Criteria
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Enumerated registered AV products using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Enumerated the computer name using the GetComputerNameEx API
Criteria
powershell.exe executing the GetComputerNameEx API
Procedure
Enumerated the current username using the GetUserNameEx API
Criteria
powershell.exe executing the GetUserNameEx API
Procedure
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria
powershell.exe executing the CreateToolhelp32Snapshot API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Created and executed a WMI class using PowerShell
Criteria
WMI Process (WmiPrvSE.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria
powershell.exe executing Set-WmiInstance
Procedure
Enumerated logged on users using PowerShell
Criteria
powershell.exe executing $env:UserName
Procedure
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Procedure
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria
powershell.exe executing the ConvertSidToStringSid API
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria
Successful logon as user MScott on NewYork (10.0.0.4)
Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Staged collected file into directory using PowerShell
Criteria
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


Procedure
Executed Run key persistence payload on user login using RunDll32
Criteria
rundll32.exe executing kxwn.lock
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Executed WMI persistence on user login
Criteria
The WMI process (wmiprvse.exe) executing powershell.exe
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Footnotes
- PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.


[2]


Procedure
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria
Network connection to Scranton (10.0.1.4) over port 5985
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Windows Registry
- Process Monitoring


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Windows Registry
- Process Monitoring


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll