The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Secureworks  >  Results
Secureworks: Results
Participant Configuration:  APT29

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

Procedure

User Pam executed payload rcs.3aka3.doc

Criteria

The rcs.3aka3.doc process spawning from explorer.exe

[1]

[2]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

[1]

[2]

[3]

[4]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

[1]

[2]

[3]

Procedure

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

Procedure

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria

Established network channel over port 1234

[1]

[2]

Procedure

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

[2]

[3]

[4]

Procedure

Spawned interactive cmd.exe

Criteria

cmd.exe spawning from the rcs.3aka3.doc process

[1]

[2]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from cmd.exe

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from cmd.exe

[1]

[2]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

Procedure

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe executing Compress-Archive

[1]

Procedure

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria

powershell.exe creating the file draft.zip

Procedure

Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)

Criteria

The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel

Procedure

Dropped stage 2 payload (monkey.png) to disk

Criteria

The rcs.3aka3.doc process creating the file monkey.png

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

[2]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

Procedure

Embedded PowerShell payload in monkey.png using steganography

Criteria

Evidence that a PowerShell payload was within monkey.png

[1]

[2]

[3]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

[2]

[3]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

[2]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria

Established network channel over port 443

[1]

Procedure

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is HTTPS

[1]

Procedure

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Modified the Registry to remove artifacts of COM hijacking

Criteria

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria

powershell.exe creating the file SysinternalsSuite.zip

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from powershell.exe

[1]

Procedure

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria

powershell.exe executing Expand-Archive

[1]

Procedure

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria

powershell.exe executing Expand-Archive

[1]

[2]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Enumerated current running processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

[1]

[2]

[3]

[4]

Procedure

Deleted rcs.3aka3.doc on disk using SDelete

Criteria

sdelete64.exe deleting the file rcs.3aka3.doc

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

[1]

[2]

[3]

[4]

Procedure

Deleted Draft.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file draft.zip

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

[1]

[2]

[3]

[4]

Procedure

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria

sdelete64.exe deleting the file SysinternalsSuite.zip

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Enumerated user's temporary directory path using PowerShell

Criteria

powershell.exe executing $env:TEMP

[1]

[2]

Procedure

Enumerated user's temporary directory path using PowerShell

Criteria

powershell.exe executing $env:TEMP

[1]

Procedure

Enumerated the current username using PowerShell

Criteria

powershell.exe executing $env:USERNAME

[1]

[2]

Procedure

Enumerated the current username using PowerShell

Criteria

powershell.exe executing $env:USERNAME

[1]

Procedure

Enumerated the computer hostname using PowerShell

Criteria

powershell.exe executing $env:COMPUTERNAME

[1]

[2]

Procedure

Enumerated the computer hostname using PowerShell

Criteria

powershell.exe executing $env:COMPUTERNAME

[1]

Procedure

Enumerated the current domain name using PowerShell

Criteria

powershell.exe executing $env:USERDOMAIN

[1]

[2]

Procedure

Enumerated the current domain name using PowerShell

Criteria

powershell.exe executing $env:USERDOMAIN

[1]

Procedure

Enumerated the current process ID using PowerShell

Criteria

powershell.exe executing $PID

[1]

[2]

Procedure

Enumerated the current process ID using PowerShell

Criteria

powershell.exe executing $PID

[1]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

Procedure

Enumerated the OS version using PowerShell

Criteria

powershell.exe executing Gwmi Win32_OperatingSystem

[1]

Procedure

Enumerated anti-virus software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

[1]

Procedure

Enumerated anti-virus software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

[1]

Procedure

Enumerated firewall software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

[1]

Procedure

Enumerated firewall software using PowerShell

Criteria

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

[1]

Procedure

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria

powershell.exe executing the NetUserGetGroups API

[1]

[2]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

[1]

[2]

Procedure

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria

powershell.exe executing the NetUserGetLocalGroups API

[1]

[2]

Procedure

Executed API call by reflectively loading Netapi32.dll

Criteria

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

[1]

[2]

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

[2]

[3]

Procedure

Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup

Criteria

powershell.exe creating the Javamtsup service

[1]

[2]

[3]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

[2]

[3]

Procedure

Created a LNK file (hostui.lnk) in the Startup folder that executes on login

Criteria

powershell.exe creating the file hostui.lnk in the Startup folder

[1]

[2]

[3]

[4]

Procedure

Read the Chrome SQL database file to extract encrypted credentials

Criteria

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

[1]

Procedure

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria

accesschk.exe executing the CryptUnprotectedData API

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

[2]

Procedure

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria

Evidence that accesschk.exe is not the legitimate Sysinternals tool

[1]

[2]

Procedure

Exported a local certificate to a PFX file using PowerShell

Criteria

powershell.exe creating a certificate file exported from the system

[1]

[2]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

[1]

Procedure

Captured and saved screenshots using PowerShell

Criteria

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

[1]

Procedure

Captured and saved screenshots using PowerShell

Criteria

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

[1]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

[1]

Procedure

Captured clipboard contents using PowerShell

Criteria

powershell.exe executing Get-Clipboard

[1]

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

[1]

Procedure

Captured user keystrokes using the GetAsyncKeyState API

Criteria

powershell.exe executing the GetAsyncKeyState API

[1]

Procedure

Read data in the user's Downloads directory using PowerShell

Criteria

powershell.exe reading files in C:\Users\pam\Downloads\

Procedure

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria

powershell.exe creating the file OfficeSupplies.7z

Procedure

Encrypted data from the user's Downloads directory using PowerShell

Criteria

powershell.exe executing Compress-7Zip with the password argument used for encryption

[1]

[2]

Procedure

Encrypted data from the user's Downloads directory using PowerShell

Criteria

powershell.exe executing Compress-7Zip with the password argument used for encryption

[1]

Procedure

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

[1]

[2]

[3]

Procedure

Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell

Criteria

powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)

[1]

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

[1]

[2]

Procedure

Enumerated remote systems using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

[1]

Procedure

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

[2]

[3]

Procedure

Established WinRM connection to remote host Scranton (10.0.1.4)

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

[2]

[3]

Procedure

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

Procedure

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

Procedure

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria

The file python.exe created on Scranton (10.0.1.4)

Procedure

python.exe payload was packed with UPX

Criteria

Evidence that the file python.exe is packed

[1]

[2]

Procedure

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria

Successful logon as user Pam on Scranton (10.0.1.4)

[1]

Procedure

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

[1]

Procedure

Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec

Criteria

SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share

[1]

Procedure

Executed python.exe using PSExec

Criteria

python.exe spawned by PSEXESVC.exe

[1]

[2]

Procedure

Executed python.exe using PSExec

Criteria

python.exe spawned by PSEXESVC.exe

[1]

Procedure

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file rar.exe

Procedure

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria

python.exe creating the file sdelete64.exe

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from python.exe

[1]

Procedure

Spawned interactive powershell.exe

Criteria

powershell.exe spawning from python.exe

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Searched filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

[2]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

Procedure

Scripted search of filesystem for document and media files using PowerShell

Criteria

powershell.exe executing (Get-)ChildItem

[1]

[2]

Procedure

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria

powershell.exe reading files in C:\Users\Pam\

Procedure

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria

powershell.exe creating the file working.zip

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

[1]

[2]

[3]

Procedure

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria

powershell.exe executing rar.exe

[1]

[2]

[3]

[4]

Procedure

Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)

Criteria

python.exe reading the file working.zip while connected to the C2 channel

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

[2]

Procedure

Deleted rar.exe on disk using SDelete

Criteria

sdelete64.exe deleting the file rar.exe

[1]

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Deleted working.zip (from Desktop) on disk using SDelete

Criteria

sdelete64.exe deleting the file \Desktop\working.zip

[1]

[2]

[3]

[4]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

[1]

[2]

[3]

[4]

Procedure

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria

sdelete64.exe deleting the file \AppData\Roaming\working.zip

Footnotes

  • Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.

Procedure

Deleted SDelete on disk using cmd.exe del command

Criteria

cmd.exe deleting the file sdelete64.exe

Procedure

Executed persistent service (javamtsup) on system startup

Criteria

javamtsup.exe spawning from services.exe

[1]

[2]

Procedure

Executed LNK payload (hostui.lnk) in Startup Folder on user login

Criteria

Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

[1]

Procedure

Executed PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe executing the CreateProcessWithToken API

Procedure

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk

Criteria

powershell.exe spawning from explorer.exe

[1]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

Procedure

Executed an alternate data stream (ADS) using PowerShell

Criteria

powershell.exe executing the schemas ADS via Get-Content and IEX

[1]

[2]

[3]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

[2]

[3]

[4]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

[2]

Procedure

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_BIOS

[1]

[2]

[3]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

[2]

[3]

[4]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

[2]

[3]

[4]

Procedure

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

[2]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

[2]

[3]

Procedure

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

[1]

[2]

[3]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that the computer is joined to a domain using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

[1]

[2]

[3]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

[2]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

[2]

[3]

Procedure

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for Win32_Process

[1]

[2]

[3]

Procedure

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

[1]

[2]

[3]

Procedure

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

[1]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

[2]

[3]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

[2]

[3]

Procedure

Decoded an embedded DLL payload to disk using certutil.exe

Criteria

certutil.exe decoding kxwn.lock

[1]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

[2]

[3]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

[2]

[3]

[4]

Procedure

Established Registry Run key persistence using PowerShell

Criteria

Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[1]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

[2]

[3]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

[2]

[3]

[4]

[5]

Procedure

Executed PowerShell stager payload

Criteria

powershell.exe spawning from from the schemas ADS (powershell.exe)

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

Procedure

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria

Established network channel over port 443

[1]

[2]

[3]

Procedure

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria

Established network channel over the HTTPS protocol

Procedure

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria

Evidence that the network data sent over the C2 channel is encrypted

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

Procedure

Enumerated the System32 directory using PowerShell

Criteria

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

[1]

[2]

[3]

[4]

[5]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

[2]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

[2]

Procedure

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

[1]

[2]

[3]

[4]

[5]

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

Procedure

Enumerated registered AV products using PowerShell

Criteria

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

[1]

[2]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

[2]

Procedure

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

[2]

Procedure

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

[1]

Procedure

Enumerated the computer name using the GetComputerNameEx API

Criteria

powershell.exe executing the GetComputerNameEx API

[1]

Procedure

Enumerated the computer name using the GetComputerNameEx API

Criteria

powershell.exe executing the GetComputerNameEx API

[1]

Procedure

Enumerated the domain name using the NetWkstaGetInfo API

Criteria

powershell.exe executing the NetWkstaGetInfo API

[1]

Procedure

Enumerated the domain name using the NetWkstaGetInfo API

Criteria

powershell.exe executing the NetWkstaGetInfo API

[1]

Procedure

Enumerated the current username using the GetUserNameEx API

Criteria

powershell.exe executing the GetUserNameEx API

[1]

Procedure

Enumerated the current username using the GetUserNameEx API

Criteria

powershell.exe executing the GetUserNameEx API

[1]

Procedure

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria

powershell.exe executing the CreateToolhelp32Snapshot API

[1]

Procedure

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria

powershell.exe executing the CreateToolhelp32Snapshot API

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

Procedure

Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell

Criteria

Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command

[1]

[2]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

[2]

Procedure

Executed elevated PowerShell payload

Criteria

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

[1]

[2]

Procedure

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

[2]

Procedure

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

[1]

Procedure

Created and executed a WMI class using PowerShell

Criteria

WMI Process (WmiPrvSE.exe) executing powershell.exe

[1]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

[3]

Procedure

Enumerated and tracked PowerShell processes using PowerShell

Criteria

powershell.exe executing Get-Process

[1]

[2]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

[1]

Procedure

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria

powershell.exe downloading and/or the file write of m.exe

[1]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

[3]

[4]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

[3]

[4]

Procedure

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

Procedure

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria

powershell.exe executing Set-WmiInstance

[1]

Procedure

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria

powershell.exe executing Set-WmiInstance

[1]

[2]

[3]

Procedure

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria

powershell.exe executing Get-WmiInstance

[1]

[2]

[3]

Procedure

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria

powershell.exe executing Get-WmiInstance

[1]

Procedure

Enumerated logged on users using PowerShell

Criteria

powershell.exe executing $env:UserName

[1]

Procedure

Enumerated logged on users using PowerShell

Criteria

powershell.exe executing $env:UserName

[1]

[2]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

[3]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

Procedure

Established WMI event subscription persistence using PowerShell

Criteria

powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription

[1]

[2]

Procedure

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

[1]

[2]

Procedure

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

[1]

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

[1]

[2]

[3]

Procedure

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria

powershell.exe executing the ConvertSidToStringSid API

[1]

Procedure

Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll

Criteria

powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll

[1]

[2]

[3]

Procedure

Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll

Criteria

powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll

[1]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

[2]

Procedure

Established a WinRM connection to the domain controller host NewYork (10.0.0.4)

Criteria

Network connection to NewYork (10.0.0.4) over port 5985

[1]

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

[1]

[2]

Procedure

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria

Successful logon as user MScott on NewYork (10.0.0.4)

[1]

Procedure

Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection

Criteria

File write of m.exe by the WinRM process (wsmprovhost.exe)

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

[3]

[4]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

[3]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

Procedure

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria

m.exe injecting into lsass.exe to dump credentials

[1]

[2]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

[2]

Procedure

Dumped messages from the local Outlook inbox using PowerShell

Criteria

outlook.exe spawning from svchost.exe or powershell.exe

[1]

Procedure

Read and collected a local file using PowerShell

Criteria

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

Procedure

Staged collected file into directory using PowerShell

Criteria

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

Procedure

Compressed a staging directory using PowerShell

Criteria

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

[1]

[2]

Procedure

Compressed a staging directory using PowerShell

Criteria

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

[1]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

[2]

Procedure

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria

powershell.exe executing Set-Content

[1]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

[2]

Procedure

Mapped a network drive to an online OneDrive account using PowerShell

Criteria

net.exe with command-line arguments then making a network connection to a public IP over port 443

[1]

Procedure

Exfiltrated staged collection to an online OneDrive account using PowerShell

Criteria

powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account

[1]

Procedure

Exfiltrated staged collection to an online OneDrive account using PowerShell

Criteria

powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

Procedure

Executed Run key persistence payload on user login using RunDll32

Criteria

rundll32.exe executing kxwn.lock

[1]

[2]

[3]

[4]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

[1]

[2]

Procedure

Executed WMI persistence on user login

Criteria

The WMI process (wmiprvse.exe) executing powershell.exe

[1]

[2]

[3]

Procedure

Executed PowerShell payload from WMI event subscription persistence

Criteria

SYSTEM-level powershell.exe spawned from the powershell.exe

[1]

Procedure

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

[1]

[2]

[3]

Procedure

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

[1]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

[2]

Procedure

Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials

Criteria

Network connection to Scranton (10.0.1.4) over port 5985

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

[2]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

Procedure

Added a new user to the remote host Scranton (10.0.1.4) using net.exe

Criteria

net.exe adding the user Toby

[1]

[2]