Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "W32.WscriptExecuteSuspiciousJS" (Low) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "Clam.Win.Malware.ScreenCapture.UNOFFICIAL" (Medium ) was generated when detected screenshot_.ps1 as Clam.Win.Malware.ScreenCapture.
[1]
[2]
[3]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Command-line Obfuscation" (Medium) was generated when cmd.exe spawned reg.exe to modify the registry with base64 encoded data.
[1]
[2]
|
|
|
|
|
A General detection named "Generic.Sharpshooter" (Medium) was generated when LanCradDriver.ps1 was detected as Generic.Sharpshooter.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Heur.BZC.PZQ.Boxter" (Medium) was generated when LanCradDriver.ps1 was detected as Heur.BZC.PZQ.Boxter.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Powershell Queried LDAP" (Low) was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Suspicious Network Activity" (Low ) was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Successful Remote Logon Detected" (Threat Detection) was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
A General detection named "W32.33A15DA56C.in12.Talos" was generated when smrs.exe was detected as W32.33A15DA56C.in12.Talos.
[1]
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "W32.FodHelperUACBypass.ioc" (High) was generated when fodhelper.exe spawned cmd.exe as part of a possible UAC Bypass with the FodHelper Executable.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
A General detection named "System Process Protection" (Low) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded pscp.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Cloud IOC: W32.SuspiciousOperations.ioc" (Medium) was generated when plink.exe was identified.
[1]
[2]
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe downloaded plink.exe.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Interpreter Creates Executable" (Low) was generated when powershell.exe created tiny.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "W32.File.MalParent" (Medium) was generated when service executable in C:\Windows\ was detected as W32.File.MalParent.
[1]
|
|
A General detection named "W32.RemoteAdmin:SPR.22lu.1201" (Medium) was generated when service executable in C:\Windows\ was detected as W32.RemoteAdmin:SPR.22lu.1201.
[1]
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Cloud IOC: W32.SuspiciousOperations.ioc" (Medium) was generated when plink.exe was seen and identified as a possible attempt to tunnel.
[1]
[2]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Successful Remote Logon Detected" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
|
A General detection named "Remote SSH Tunnel Parameters" (Low) was generated when plink.exe created a RDP session from the localhost over TCP port 3389.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Successful Remote Logon Detected" (Threat Detection) was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
|
|
|
|
|
|
|
|
A General detection named "DeepScan: Generic.Exploit.Shellcode" (Medium ) was generated when scp.exe downloaded Java-Update.exe from 192.168.0.4.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Windows Run Key Persistence" (Low) was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
[2]
[3]
|
|
|
|
|
|
|
A General detection named "DeepScan: Generic.Exploit.Shellcode" (Medium) was generated when Java-Update.exe was detected as DeepScan: Generic.Exploit.Shellcode.
[1]
[2]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
Technique
(Configuration Change (Data Sources))
|
A Technique detection named "Potential Use of vaulcli.dll for Credential Harvesting" (Low) was generated when infosMin48.exe loaded vaultcli.dll.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Firewall Rule Added by netsh" (Low) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Windows Run Key Persistence" (Low ) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|