20.B.4
Criteria:
7za.exe creates C:\Users\Public\log.7z
Detections:
5.B.5
Criteria:
User kmitnick reads network-diagram-financial.xml via cat
Detections:
5.B.6
Criteria:
User kmitnick reads help-desk-ticket.txt via cat
Detections:
9.A.5
Criteria:
explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
2.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
9.A.4
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
13.B.4
Criteria:
powershell.exe executes CopyFromScreen()
Detections:
18.A.2
Criteria:
explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll
Detections:
7.A.3
Criteria:
plink.exe transmits data to 192.168.0.4 over SSH protocol
Detections:
12.A.3
Criteria:
Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions
Detections:
1.A.10
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.2
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.6
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.8
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.5
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.3
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
1.A.11
Criteria:
wscript.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
8.A.3
Criteria:
Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
14.A.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
16.A.9
Criteria:
svchost.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
17.A.6
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
20.A.4
Criteria:
rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol
Detections:
2.B.1
Criteria:
wscript.exe downloads screenshot__.ps1 from 192.168.0.4
Detections:
3.B.1
Criteria:
wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4
Detections:
4.B.1
Criteria:
powershell.exe downloads rad353F7.ps1 from 192.168.0.4
Detections:
4.B.2
Criteria:
powershell.exe downloads smrs.exe from 192.168.0.4
Detections:
5.A.1
Criteria:
powershell.exe downloads pscp.exe from 192.168.0.4
Detections:
5.A.2
Criteria:
powershell.exe downloads psexec.py from 192.168.0.4
Detections:
5.A.3
Criteria:
powershell.exe downloads runtime from 192.168.0.4
Detections:
5.A.4
Criteria:
powershell.exe downloads plink.exe from 192.168.0.4
Detections:
5.A.5
Criteria:
powershell.exe downloads tiny.exe from 192.168.0.4
Detections:
7.A.1
Criteria:
tiny.exe downloads plink.exe from 192.168.0.4
Detections:
7.C.1
Criteria:
scp.exe downloads Java-Update.exe from 192.168.0.4
Detections:
7.C.3
Criteria:
cmd.exe downloads Java-Update.vbs from 192.168.0.4
Detections:
9.A.1
Criteria:
Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4
Detections:
9.B.1
Criteria:
explorer.exe downloads infosMin48.exe from 192.168.0.4
Detections:
10.A.1
Criteria:
explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4
Detections:
10.A.2
Criteria:
explorer.exe downloads vnc-settings.reg from 192.168.0.4
Detections:
12.B.1
Criteria:
Adb156.exe downloads stager.ps1 from 192.168.0.6
Detections:
13.B.1
Criteria:
Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions
Detections:
15.A.2
Criteria:
powershell.exe downloads samcat.exe from 192.168.0.4
Detections:
15.A.3
Criteria:
powershell.exe downloads uac-samcats.ps1 from 192.168.0.4
Detections:
16.A.1
Criteria:
powershell.exe downloads paexec.exe from 192.168.0.4
Detections:
16.A.2
Criteria:
powershell.exe downloads hollow.exe from 192.168.0.4
Detections:
17.A.1
Criteria:
svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)
Detections:
19.B.3
Criteria:
powershell.exe downloads dll329.dll from 192.168.0.4
Detections:
19.B.4
Criteria:
powershell.exe downloads sdbE376.tmp from 192.168.0.4
Detections:
20.B.1
Criteria:
rundll32.exe downloads debug.exe from 192.168.0.4
Detections:
20.B.3
Criteria:
rundll32.exe downloads 7za.exe from 192.168.0.4
Detections:
3.B.7
Criteria:
powershell.exe transmits data to 192.168.0.4 over TCP
Detections:
19.A.3
Criteria:
itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure
Detections:
10.B.1
Criteria:
tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900
Detections:
4.A.3
Criteria:
powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access
Detections:
9.B.2
Criteria:
infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll
Detections:
9.A.2
Criteria:
DefenderUpgradeExec.exe calls the SetWindowsHookEx API
Detections:
18.A.4
Criteria:
mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState
Detections:
4.B.7
Criteria:
smrs.exe opens and reads lsass.exe
Detections:
15.A.6
Criteria:
samcat.exe opens and reads the SAM via LSASS
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
1.A.5
Criteria:
wscript.exe decodes content and creates starter.vbs
Detections:
1.A.6
Criteria:
wscript.exe decodes content and creates TransBaseOdbcDriver.js
Detections:
3.B.5
Criteria:
powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode
Detections:
5.C.6
Criteria:
tiny.exe loads shellcode from network connection into memory
Detections:
11.A.5
Criteria:
mshta.exe assembles text embedded within 2-list.rtf into a JS payload
Detections:
14.A.3
Criteria:
powershell.exe decodes an embedded DLL payload
Detections:
14.A.5
Criteria:
powershell.exe loads shellcode from network connection into memory
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
10.A.3
Criteria:
netsh adds Service Host rule for TCP port 5900
Detections:
9.B.3
Criteria:
powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\
Detections:
17.A.2
Criteria:
srrstr.dll is not the legitimate Windows System Protection Configuration Library
Detections:
11.A.6
Criteria:
mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe
Detections:
3.A.2
Criteria:
cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer
Detections:
4.B.4
Criteria:
powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty
Detections:
10.A.5
Criteria:
Addition of subkeys in HKLM\Software\TightVNC\Server
Detections:
10.A.6
Criteria:
Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
1.A.4
Criteria:
unprotected.vbe is an encoded file
Detections:
3.A.3
Criteria:
Value added to Registry is base64 encoded
Detections:
11.A.2
Criteria:
2-list.rtf contains an embedded lnk payload that is dropped to disk
Detections:
19.B.2
Criteria:
powershell.exe executes base64 encoded commands
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
11.A.3
Criteria:
winword.exe spawns mshta.exe
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
6.A.3
Criteria:
PowerShell executes Get-NetUser
Detections:
4.A.1
Criteria:
powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs
Detections:
5.B.4
Criteria:
User kmitnick executes ls -lsahR /var/
Detections:
7.C.2
Criteria:
dir lists the contents of C:\Users\Public
Detections:
13.A.3
Criteria:
cmd.exe executes net view
Detections:
2.A.4
Criteria:
wscript.exe makes a WMI query for Win32_Process
Detections:
5.B.3
Criteria:
User kmitnick executes ps ax
Detections:
13.A.1
Criteria:
Adb156.exe makes a WMI query for Win32_Process
Detections:
15.A.1
Criteria:
powershell.exe calls the CreateToolhelp32Snapshot() API
Detections:
20.B.2
Criteria:
debug.exe calls the CreateToolhelp32Snapshot API
Detections:
3.B.4
Criteria:
powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty
Detections:
4.A.2
Criteria:
powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4
Detections:
5.B.7
Criteria:
User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)
Detections:
6.A.2
Criteria:
PowerShell executes Get-ADComputer
Detections:
15.A.8
Criteria:
powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)
Detections:
2.A.2
Criteria:
wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem
Detections:
12.A.5
Criteria:
Adb156.exe makes a WMI query for Win32_LogicalDisk
Detections:
13.A.6
Criteria:
Adb156.exe queries the COMPUTERNAME environment variable
Detections:
13.A.9
Criteria:
Adb156.exe makes a WMI query for Win32_OperatingSystem
Detections:
12.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration
Detections:
13.A.8
Criteria:
Adb156.exe makes a WMI query for Win32_ComputerSystem
Detections:
15.A.7
Criteria:
powershell.exe calls the GetIpNetTable() API
Detections:
7.B.1
Criteria:
powershell.exe executes qwinsta /server:cfo
Detections:
13.A.5
Criteria:
Adb156.exe queries the USERNAME environment variable
Detections:
13.A.4
Criteria:
Adb156.exe makes a WMI query for Win32_BIOS
Detections:
1.A.9
Criteria:
cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js
Detections:
12.A.2
Criteria:
Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript
Detections:
2.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
3.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
4.B.3
Criteria:
powershell.exe executes rad353F7.ps1
Detections:
6.A.1
Criteria:
tiny.exe loads system.management.automation.dll
Detections:
13.B.3
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.2
Criteria:
cmd.exe spawns powershell.exe
Detections:
14.A.4
Criteria:
powershell.exe executes the decoded payload using Invoke-Expression (IEX)
Detections:
15.A.4
Criteria:
powershell.exe spawns powershell.exe
Detections:
19.B.1
Criteria:
powershell.exe spawns powershell.exe
Detections:
1.A.3
Criteria:
wscript.exe executes unprotected.vbe
Detections:
1.A.7
Criteria:
wscript.exe executes starter.vbs
Detections:
8.A.1
Criteria:
wscript.exe spawns Java-Update.exe
Detections:
11.A.4
Criteria:
mshta.exe executes an embedded VBScript payload
Detections:
1.A.8
Criteria:
wscript.exe spawns cmd.exe
Detections:
2.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.A.1
Criteria:
wscript.exe spawns cmd.exe
Detections:
3.B.2
Criteria:
wscript.exe spawns cmd.exe
Detections:
4.B.6
Criteria:
cmd.exe spawns smrs.exe
Detections:
5.A.6
Criteria:
powershell.exe spawns cmd.exe
Detections:
5.C.5
Criteria:
cmd.exe spawns tiny.exe
Detections:
7.A.2
Criteria:
tiny.exe spawns cmd.exe
Detections:
13.A.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
13.B.2
Criteria:
Adb156.exe spawns cmd.exe
Detections:
14.A.1
Criteria:
Adb156.exe spawns cmd.exe
Detections:
16.A.3
Criteria:
powershell.exe spawns cmd.exe
Detections:
17.A.3
Criteria:
svchost.exe spawns cmd.exe
Detections:
1.A.2
Criteria:
winword.exe loads VBE7.DLL
Detections:
11.A.7
Criteria:
winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL
Detections:
3.B.6
Criteria:
powershell.exe executes the shellcode from the Registry by calling the CreateThread() API
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
5.C.3
Criteria:
cmd.exe spawns from a service executable in C:\Windows\
Detections:
16.A.6
Criteria:
Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe
Detections:
1.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 1-list.rtf
Detections:
11.A.1
Criteria:
explorer.exe spawns winword.exe when user clicks 2-list.rtf
Detections:
2.B.5
Criteria:
wscript.exe reads and uploads screenshot__.png to 192.168.0.4
Detections:
13.B.5
Criteria:
Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions
Detections:
20.B.5
Criteria:
rundll32.exe reads and uploads log.7z to 192.168.0.4
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
5.A.9
Criteria:
Pscp.exe copies psexec.py to 10.0.0.7
Detections:
5.A.10
Criteria:
Pscp.exe copies runtime to 10.0.0.7
Detections:
5.A.11
Criteria:
Pscp.exe copies tiny.exe to 10.0.0.7
Detections:
5.C.4
Criteria:
tiny.exe is created on 10.0.0.4
Detections:
7.A.5
Criteria:
RDP session from the localhost over TCP port 3389
Detections:
7.B.3
Criteria:
RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389
Detections:
19.A.2
Criteria:
RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389
Detections:
5.C.2
Criteria:
psexec.py connects to SMB shares on 10.0.0.4
Detections:
16.A.5
Criteria:
SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed
Detections:
5.A.7
Criteria:
Pscp.exe connects over SCP (port 22) to 10.0.0.7
Detections:
5.B.1
Criteria:
plink.exe connects over SSH (port 22) to 10.0.0.7
Detections:
5.C.1
Criteria:
psexec.py creates a logon to 10.0.0.4 as user kmitnick
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections:
4.B.5
Criteria:
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
15.A.5
Criteria:
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Detections:
7.C.4
Criteria:
Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Detections:
10.A.4
Criteria:
msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run
Detections:
19.B.5
Criteria:
sdbinst.exe installs sdbE376.tmp shim
Detections:
20.A.1
Criteria:
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll
Detections:
17.A.4
Criteria:
SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll
Detections:
9.A.3
Criteria:
Java-Update.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.1
Criteria:
svchost.exe injects into explorer.exe with CreateRemoteThread
Detections:
18.A.3
Criteria:
explorer.exe injects into mstsc.exe with CreateRemoteThread
Detections:
20.A.2
Criteria:
AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread
Detections:
16.A.7
Criteria:
hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection
Detections:
11.A.8
Criteria:
mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes
Detections:
12.A.1
Criteria:
svchost.exe (-s Schedule) spawns Adb156.exe
Detections:
4.A.4
Criteria:
powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick
Detections:
5.A.8
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
5.B.2
Criteria:
User kmitnick logs on to bankfileserver (10.0.0.7)
Detections:
7.A.4
Criteria:
User kmitnick logs on to bankdc (10.0.0.4)
Detections:
7.B.2
Criteria:
User kmitnick logs on to cfo (10.0.0.5)
Detections:
16.A.4
Criteria:
User kmitnick logs on to itadmin (10.0.1.6)
Detections:
19.A.1
Criteria:
User kmitnick logs on to accounting (10.0.1.7)
Detections: