Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
Tactic
(Configuration Change (Data Sources))
|
A Tactic detection named "MS Office loaded VBE dll to execute macro" (Low) was generated when winword.exe loaded VBE7.DLL and spawned 1-list.rtf.
[1]
|
|
|
|
|
A Technique detection named "Wscript.exe execution from monitored application" (2.5/10) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped script file" (Medium) was generated when wscript.exe decoded and created starter.vbs.
[1]
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped script file" (Medium) was generated when wscript.exe decoded and created TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
A Technique detection named "Wscript.exe execution from monitored application" (Medium) was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "MS Office process spawns cmd.exe" (Medium) was generated when wscript.exe spawned cmd.exe from a process linage that included winword.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Wscript.exe execution from monitored application" (Medium) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped script file" (3.0/10) was generated when wscript.exe downloaded screenshot__.ps1.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "MS Office process spawns cmd.exe" (Medium) was generated when wscript.exe spawned cmd.exe from a process linage that included winword.exe.
[1]
|
|
|
|
|
A Technique detection named "PowerShell.exe execution detected from monitored application" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "MS Office process spawns cmd.exe" (3.5/10) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Reg.exe execution detected" (Medium) was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
|
|
|
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped script file" (Medium) was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "MS Office process spawns cmd.exe" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "PowerShell.exe execution detected from monitored application" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped script file" (Medium) was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
A General detection named "PowerShell or its child process dropped portable executable file" (2.5/10) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
A General detection named "Likely remote system process dropped portable executable" (Medium) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
A General detection named "MS Office or scripting engine dropped executable file" (3.0/10) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "PowerShell.exe execution detected from monitored application" (Medium) was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Fodhelper.exe execution detected" (2.5/10) was generated when fodhelper.exe spawned as a high-integrity process.
[1]
|
|
|
|
|
|
|
|
|
A Tactic detection named "Process Running from AppData Directory" (2.5/10) was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A General detection named "PowerShell or its child process dropped portable executable file" (2.5/10) was generated when powershell.exe downloaded pscp.exe .
[1]
|
|
A General detection named "MS Office or scripting engine dropped portable executable" (Medium) was generated when powershell.exe downloaded pscp.exe .
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "PowerShell or its child process dropped portable executable file" (2.5/10) was generated when powershell.exe downloaded plink.exe .
[1]
|
|
A General detection named "MS Office or scripting engine dropped portable executable file" (Medium) was generated when powershell.exe downloaded plink.exe .
[1]
|
|
|
|
|
|
|
A General detection named "PowerShell or its child process dropped portable executable file" (Medium) was generated when powershell.exe downloaded tiny.exe .
[1]
[2]
|
|
|
|
|
|
|
|
|
A Technique detection named "MS Office process spawns cmd.exe" (Medium) was generated when powershell.exe spawned cmd.exe from a process linage that included winword.exe.
[1]
|
|
|
|
|
A General detection named "Yara rule match on process memory" (High) was generated when pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Process using ps utility to get running processes" (1.6/10) was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Tactic detection named "Likely remote system dropped portable executable file" (2.0/10) was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Likely remote system dropped portable executable file" (2.0/10) was generated when tiny.exe was created on 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped portable executable file" (3.0/10) was generated when tiny.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Remote Desktop Protocol" (4/10) was generated when plink.exe created a RDP session from the localhost over TCP port 3389.
[1]
|
|
|
|
|
A Technique detection named "Qwinsta.exe execution from monitored application" (2.5/10) was generated when powershell.exe executed qwinsta /server:cfo.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Registry Startups entry modification/addition Detected from monitored application" (4.0/10) was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
A Technique detection named "Wscript.exe execution detected" (0.5/10) was generated when Java-Update.exe spawned from wscript.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A General detection named "MS Office or scripting engine dropped portable executable file" (3.0/10) was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
|
|
A General detection named "Process dropped portable executable file in AppData folder" (0/10) was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Monitored application child process injected code in remote process" (1.5/10) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
A Technique detection named "Monitored application child process allocated memory in remote process" (1.5) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
A Technique detection named "Monitored application child process created thread in remote process" (1.5) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A General detection named "Process dropped portable executable file" (0/10) was generated when explorer.exe downloaded tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
|
A General detection named "Netsh.exe execution detected" (0.1/10) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
|
|
|
|
|
|
|
A Technique detection named "Registry Startups entry modificatin/addition Detected" (1.5/10) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
|
|
|
Telemetry
(Configuration Change)
|
|
|