The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Microsoft  >  Results
Microsoft: Results
Participant Configuration:  APT3APT29Carbanak+FIN7

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Procedure

Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Footnotes

  • Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Procedure

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

[1]

[2]

Procedure

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

[1]

[2]

Procedure

Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

[1]

Procedure

Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

[1]

Procedure

Cobalt Strike: C2 channel established using port 53

Footnotes

  • DNS requests were observed (no detection showed port 53 specifically).
[1]

Procedure

Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

Footnotes

  • The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events.
[1]

Procedure

Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Procedure

Cobalt Strike: 'ipconfig -all' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'ipconfig -all' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'arp -a' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'arp -a' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

[1]

[2]

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: 'tasklist -v' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'tasklist -v' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'sc query' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'sc query' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net start' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'systeminfo' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'systeminfo' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net config workstation' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'net localgroup administrators' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net localgroup administrators' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net localgroup administrators -domain' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net localgroup administrators -domain' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: 'net user -domain' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net user -domain' via cmd

[1]

[2]

[3]

Procedure

Cobalt Strike: 'net user george -domain' via cmd

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: 'net user george -domain' via cmd

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

[1]

[2]

Procedure

Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

[1]

[2]

[3]

Procedure

Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

[1]

[2]

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Footnotes

  • Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode.
[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'netstat -ano' via cmd

[1]

[2]

Procedure

Cobalt Strike: Built-in Mimikatz credential dump capability executed

[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: Built-in Mimikatz credential dump capability executed

Footnotes

  • Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
[1]

[2]

[3]

[4]

Procedure

Cobalt Strike: Credential dump capability involved process injection into lsass

[1]

[2]

[3]

Procedure

Cobalt Strike: Credential dump capability involved process injection into lsass

Footnotes

  • Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
[1]

[2]

[3]

Procedure

Cobalt Strike: Built-in hash dump capability executed

Footnotes

  • Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
[1]

[2]

Procedure

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

[1]

[2]

[3]

Procedure

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Footnotes

  • Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
[1]

[2]

[3]

Procedure

Cobalt Strike: Built-in token theft capability executed to change user context to George

[1]

[2]

[3]

Procedure

Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

[1]

[2]

Procedure

Cobalt Strike: C2 channel modified to use port 80

[1]

[2]

Procedure

Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Procedure

Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

[1]

[2]

[3]

Procedure

Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

[1]

[2]

[3]

[4]

Procedure

Added user Jesse to Conficker (10.0.0.5) through RDP connection

Footnotes

  • Visibility of account creation data was verified in retesting at the end of the evaluation after vendor adjusted data collection configuration and visibility of account creation.
[1]

Procedure

Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

[1]

Procedure

Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

[1]

Procedure

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

[1]

Procedure

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

[1]

[2]

Procedure

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

[1]

[2]

Procedure

Cobalt Strike: 'dir -s -b \"\\conficker\wormshare\"' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

[1]

[2]

[3]

Procedure

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Footnotes

  • The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events.
  • Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection.
[1]

[2]

[3]

Procedure

Cobalt Strike: Keylogging capability included residual enumeration of application windows

Procedure

Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Footnotes

  • The vendor stated that screen capture telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events, so this detection is identified as a configuration change.
[1]

Procedure

Cobalt Strike: Screen capture capability involved process injection into explorer.exe

[1]

Procedure

Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Footnotes

  • The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP.

Procedure

Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Procedure

Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

[1]

Procedure

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

[1]

Procedure

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

[1]

Procedure

RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

[1]

Procedure

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Procedure

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Procedure

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Procedure

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

Procedure

Empire: C2 channel established using port 443

[1]

[2]

[3]

Procedure

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

Footnotes

  • Vendor added detection for evaluation C2 domain using the standard customer-facing custom detection capabilities of the product.
[1]

[2]

[3]

Procedure

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

[1]

[2]

[3]

Procedure

Empire: Encrypted C2 channel established using HTTPS

[1]

[2]

Procedure

Empire: 'route print' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'ipconfig -all' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'whoami -all -fo list' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'qprocess *' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'net start' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

[4]

Procedure

Empire: 'net start' via PowerShell

[1]

[2]

[3]

[4]

Procedure

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

[1]

[2]

[3]

[4]

[5]

Procedure

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

[1]

[2]

[3]

[4]

[5]

Procedure

Empire: WinEnum module included enumeration of user information

Procedure

Empire: WinEnum module included enumeration of AD group memberships

Procedure

Empire: WinEnum module included enumeration of password policy information

Procedure

Empire: WinEnum module included enumeration of recently opened files

Procedure

Empire: WinEnum module included enumeration of interesting files

Procedure

Empire: WinEnum module included enumeration of clipboard contents

Procedure

Empire: WinEnum module included enumeration of system information

[1]

Procedure

Empire: WinEnum module included enumeration of Windows update information

[1]

Procedure

Empire: WinEnum module included enumeration of system information via a Registry query

Procedure

Empire: WinEnum module included enumeration of services

[1]

Procedure

Empire: WinEnum module included enumeration of available shares

Procedure

Empire: WinEnum module included enumeration of mapped network drives

Procedure

Empire: WinEnum module included enumeration of AV solutions

Procedure

Empire: WinEnum module included enumeration of firewall rules

Procedure

Empire: WinEnum module included enumeration of network adapters

[1]

Procedure

Empire: WinEnum module included enumeration of established network connections

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

[4]

Procedure

Empire: WinEnum module included enumeration of established network connections

[1]

[2]

[3]

[4]

Procedure

Empire: 'net group \"Domain Admins\" -domain' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'net group \"Domain Admins\" -domain' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'Net Localgroup Administrators' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'Net Localgroup Administrators' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'net user' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'net user' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'net user -domain' via PowerShell

Footnotes

  • The vendor noted this was an Azure Advanced Threat Protection alert.
[1]

[2]

[3]

[4]

Procedure

Empire: 'net user -domain' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

[4]

Procedure

Empire: 'net user -domain' via PowerShell

[1]

[2]

[3]

[4]

Procedure

Empire: 'net group \"Domain Computers\" -domain' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'net group \"Domain Computers\" -domain' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'net use' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'net use' via PowerShell

[1]

[2]

[3]

Procedure

Empire: 'netstat -ano' via PowerShell

Footnotes

  • Alert is based on the correlation of a chain of related behaviors across multiple steps.
[1]

[2]

[3]

Procedure

Empire: 'netstat -ano' via PowerShell

[1]

[2]

[3]

Procedure

Empire:'reg query' via PowerShell to enumerate a specific Registry key

[1]

[2]

Procedure

Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

[1]

[2]

[3]

[4]

Procedure

Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

[1]

[2]

Procedure

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

[1]

Procedure

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

[1]

[2]

Procedure

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

[1]

[2]

[3]

[4]

Procedure

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Footnotes

  • Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events.
[1]

[2]

[3]

[4]

Procedure

Empire: Built-in keylogging module included residual enumeration of application windows

Procedure

Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

[1]

Procedure

Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda

Footnotes

  • The alert spans multiple login attempts.
[1]

[2]

[3]

[4]

[5]

[6]

Procedure

Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda

[1]

[2]

[3]

[4]

[5]

[6]

Procedure

Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

Footnotes

  • The alert spans multiple login attempts.
[1]

[2]

[3]

[4]

[5]

Procedure

Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

[1]

[2]

[3]

[4]

[5]

Procedure

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

[1]

[2]

[3]

[4]

Procedure

Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)

Footnotes

  • The alert spans multiple login attempts.
[1]

[2]

[3]

Procedure

Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)

[1]

[2]

[3]

Procedure

Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

Footnotes

  • The alert spans multiple login attempts.
[1]

[2]

[3]

Procedure

Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

[1]

[2]

[3]

Procedure

Empire: 'net use -delete' via PowerShell

[1]

[2]

Procedure

Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

[1]

[2]

Procedure

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

[1]

[2]

[3]

Procedure

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

[1]

[2]

Procedure

Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

[1]

[2]

[3]

[4]

Procedure

Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

[1]

[2]

[3]

Procedure

Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

[1]

[2]

Procedure

Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

[1]

[2]

[3]

[4]

Procedure

Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

[1]

[2]

[3]

[4]

Procedure

Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

[1]

[2]

Procedure

Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

[1]

[2]

Procedure

Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

Procedure

Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

[1]

[2]

[3]

[4]

Procedure

Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

[1]

[2]

[3]

[4]

Procedure

Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

[1]

[2]

Procedure

Empire: 'reg query' via PowerShell to enumerate a specific Registry key

[1]

[2]

Procedure

Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

[1]

[2]

Procedure

Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

[1]

[2]

Procedure

Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

[1]

[2]

[3]

Procedure

Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

[1]

[2]

[3]

Procedure

Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

[1]

Procedure

Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Footnotes

  • Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test.
[1]

Procedure

Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Footnotes

  • Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test.
[1]

Procedure

Empire: File dropped to disk is a renamed copy of the WinRAR binary

[1]

[2]

Procedure

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

[1]

[2]

Procedure

Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Procedure

Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Procedure

Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

[1]

[2]

Procedure

Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

Procedure

Empire: 'del C:\\"$\"Recycle.bin\old.rar'

[1]

Procedure

Empire: 'del recycler.exe'

Procedure

magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

[1]

[2]

Procedure

magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

[1]

[2]

Procedure

RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

[1]

[2]

Procedure

Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)

[1]

[2]

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

Procedure

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

[2]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from cmd.exe

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

[2]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

[2]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

[2]

Procedure

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe creating the file draft.zip

[1]

Procedure

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe creating the file draft.zip

[1]

Procedure

Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

Criteria

The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

Procedure

Dropped stage 2 payload (monkey.png) to disk

Criteria

The rcs.3aka3.doc process creating the file monkey.png

[1]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is HTTPS

[1]

[2]

Procedure

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

[1]

[2]

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria

powershell.exe creating the file SysinternalsSuite.zip

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from powershell.exe

[1]

Procedure

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria

powershell.exe executing Expand-Archive

[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

[3]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

[2]

[3]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

[2]

[3]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

[2]

[3]

Procedure

Enumerated user's temporary directory path using PowerShell

Criteria

powershell.exe executing $env:TEMP

[1]

[2]

Procedure

Enumerated the current username using PowerShell

Criteria

powershell.exe executing $env:USERNAME

[1]

[2]

Procedure

Enumerated the computer hostname using PowerShell

Criteria

powershell.exe executing $env:COMPUTERNAME

[1]

[2]

Procedure

Enumerated the current domain name using PowerShell

Criteria

powershell.exe executing $env:USERDOMAIN

[1]

[2]

Procedure

Enumerated the current process ID using PowerShell

Criteria

powershell.exe executing $PID

[1]

[2]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

[2]

Procedure

Enumerated anti-virus software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

[1]

[2]

Procedure

Enumerated firewall software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

[1]

[2]

Procedure

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria

powershell.exe executing the NetUserGetGroups API

[1]

[2]

Procedure

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria

powershell.exe executing the NetUserGetGroups API

[1]

[2]

[3]

[4]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

[1]

[2]

Procedure

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria

powershell.exe executing the NetUserGetLocalGroups API

[1]

[2]

Procedure

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria

powershell.exe executing the NetUserGetLocalGroups API

[1]

[2]

[3]

[4]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

[1]

[2]

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

Procedure

Read the Chrome SQL database file to extract encrypted credentials

Criteria

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

[1]

Procedure

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria

accesschk.exe executing the CryptUnprotectedData API

[1]

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

[1]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

[1]

[2]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Captured and saved screenshots using PowerShell

Criteria

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

[1]

Procedure

Captured and saved screenshots using PowerShell

Criteria

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

[1]

[2]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

[1]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

[1]

[2]

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

[1]

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

Procedure

Read data in the user's Downloads directory using PowerShell

Criteria

powershell.exe reading files in C:\Users\pam\Downloads\

Procedure

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria

powershell.exe creating the file OfficeSupplies.7z

[1]

Procedure

Encrypted data from the user's Downloads directory using PowerShell

Criteria

powershell.exe executing Compress-7Zip with the password argument used for encryption

[1]

[2]

Procedure

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

[1]

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

[1]

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

[1]

[2]

Procedure

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria

The file python.exe created on Scranton (10.0.1.4)

[1]

Procedure

python.exe payload was packed with UPX

Criteria

Evidence that the file python.exe is packed

[1]

Procedure

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria

Successful logon as user Pam on Scranton (10.0.1.4)

[1]

Procedure

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

[1]

Procedure

Executed python.exe using PSExec

Criteria

python.exe spawned by PSEXESVC.exe

[1]

Procedure

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file rar.exe

[1]

Procedure

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file rar.exe

[1]

[2]

Procedure

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file sdelete64.exe

[1]

Procedure

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file sdelete64.exe

[1]

[2]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from python.exe

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from python.exe

[1]

[2]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

Procedure

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria

powershell.exe creating the file working.zip

[1]

Procedure

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria

powershell.exe creating the file working.zip

[1]

[2]

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

[1]

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

[1]

[2]

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

[1]

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

[1]

[2]

Procedure

Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)

Criteria

python.exe reading the file working.zip while connected to the C2 channel

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

[2]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

[2]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

[2]

Procedure

Deleted SDelete on disk using cmd.exe del command

Criteria

cmd.exe deleting the file sdelete64.exe

Procedure

Executed persistent service (javamtsup) on system startup

Criteria

javamtsup.exe spawning from services.exe

Footnotes

  • This activity would have been blocked by Microsoft Defender.

Procedure

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

Footnotes

  • This activity would have been blocked by Microsoft Defender.

Procedure

Executed PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe executing the CreateProcessWithToken API

[1]

Procedure

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

[2]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

[2]

[3]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

[2]

[3]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

[2]

[3]

Procedure

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

[1]

Procedure

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

[1]

[2]

[3]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

[2]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria

Established network channel over the HTTPS protocol

Procedure

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

[2]

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

[2]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

[2]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

[2]

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

[2]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

[2]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated the computer name using the GetComputerNameEx API

Criteria

powershell.exe executing the GetComputerNameEx API

[1]

[2]

Procedure

Enumerated the computer name using the GetComputerNameEx API

Criteria

powershell.exe executing the GetComputerNameEx API

[1]

Procedure

Enumerated the domain name using the NetWkstaGetInfo API

Criteria

powershell.exe executing the NetWkstaGetInfo API

[1]

[2]

Procedure

Enumerated the current username using the GetUserNameEx API

Criteria

powershell.exe executing the GetUserNameEx API

[1]

[2]

Procedure

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria

powershell.exe executing the CreateToolhelp32Snapshot API

[1]

[2]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

[2]

Procedure

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Created and executed a WMI class using PowerShell

Criteria

WMI Process (WmiPrvSE.exe) executing powershell.exe

[1]

Procedure

Created and executed a WMI class using PowerShell

Criteria

WMI Process (WmiPrvSE.exe) executing powershell.exe

[1]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

Footnotes

  • This activity would have been blocked by Microsoft Defender.
[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria

powershell.exe executing Set-WmiInstance

[1]

[2]

Procedure

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria

powershell.exe executing Get-WmiInstance

[1]

[2]

Procedure

Enumerated logged on users using PowerShell

Criteria

powershell.exe executing $env:UserName

[1]

[2]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

Procedure

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

[1]

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

[1]

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

[1]

[2]

Procedure

Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll

Criteria

powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll

[1]

[2]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

[2]

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

Footnotes

  • Alert occurred when the file was written to disk.
[1]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

[2]

Procedure

Read and collected a local file using PowerShell

Criteria

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Staged collected file into directory using PowerShell

Criteria

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

[1]

Procedure

Staged collected file into directory using PowerShell

Criteria

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

[1]

[2]

Procedure

Compressed a staging directory using PowerShell

Criteria

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

[1]

[2]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

[2]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

Procedure

Exfiltrated staged collection to an online OneDrive account using PowerShell

Criteria

powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

[2]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

Footnotes

  • This activity would have been blocked by Microsoft Defender configured with Attack Surface Reduction.
[1]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

[1]

[2]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

[2]

Procedure

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

[2]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

[2]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring

Footnotes

  • Increased collection of module load activity
[1]

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • DLL Monitoring
  • Process Monitoring

Footnotes

  • Increased collection of module load activity
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Script Logs
  • File Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

unprotected.vbe is an encoded file

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • File Monitoring
[1]

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Script Logs
  • File Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Data Sources

  • Script Logs
  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

[4]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Process Monitoring
  • WMI Objects
[1]

Criteria

wscript.exe makes a WMI query for Win32_Process

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

Value added to Registry is base64 encoded

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Script Logs
  • File Monitoring
[1]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

[3]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Script Logs
  • Windows Registry
  • Process Monitoring
[1]

[2]

[3]

[4]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads runtime from 192.168.0.4

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Named Pipes
  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring

Footnotes

  • Delayed results due to detection triggering on subsequent execution step
[1]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Process Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
  • Network Monitoring
  • Windows Registry
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

tiny.exe loads system.management.automation.dll

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

[1]

[2]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
  • Named Pipes
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

[3]

Criteria

dir lists the contents of C:\Users\Public

Criteria

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

netsh adds Service Host rule for TCP port 5900

Data Sources

  • Process Monitoring
[1]

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • File Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • File Monitoring
[1]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Data Sources

  • Script Logs
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Process Monitoring
  • Windows Event Logs
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Data Sources

  • Script Logs
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

Adb156.exe queries the USERNAME environment variable

Data Sources

  • Script Logs
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Data Sources

  • Process Monitoring
  • Script Logs

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • Process Monitoring
  • WMI Objects

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Data Sources

  • WMI Objects
  • Process Monitoring

Footnotes

  • Parent process name was presented instead of initiating process name
[1]

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Process Monitoring
  • Script Logs
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Data Sources

  • Process Monitoring
  • Script Logs
  • Network Monitoring
[1]

[2]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
  • Script Logs
[1]

[2]

Criteria

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Data Sources

  • Process Monitoring
  • Script Logs
[1]

[2]

Criteria

powershell.exe loads shellcode from network connection into memory

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

powershell.exe calls the CreateToolhelp32Snapshot() API

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

[2]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
[1]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

powershell.exe calls the GetIpNetTable() API

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • File Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Windows Event Logs
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • File Monitoring
  • Network Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • File Monitoring
  • Network Monitoring
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Network Monitoring
  • File Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • File Monitoring
[1]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • File Monitoring
[1]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Data Sources

  • File Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • DLL Monitoring
  • Process Monitoring
[1]

[2]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Data Sources

  • File Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

[2]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Network Monitoring
  • Process Monitoring
  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Process Monitoring
  • Network Monitoring
  • Windows Event Logs
[1]

Criteria

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Data Sources

  • Windows Event Logs
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • File Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Windows Registry
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Windows Registry
  • Script Logs
  • Process Monitoring
[1]

[2]

Criteria

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

[2]

[3]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

[3]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

[2]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

rundll32.exe reads and uploads log.7z to 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring

Footnotes

  • Increased collection of file access attempts when tied to other suspicious behaviors
[1]

[2]