Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
A Technique detection named "Suspicious file launch" (Low) was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
|
|
A Tactic detection named "Execution" was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
Technique
(Configuration Change (Detection Logic), Configuration Change (Data Sources))
|
A Technique detection named "Office application Winword.exe loaded Visual Basic COM interface module VBE7.dll." was generated when winword.exe loaded VBE7.DLL and spawned 1-list.rtf.
[1]
|
|
|
|
|
A General detection named "ASR - Block Office applications from creating executable content" was generated when wscript.exe executed unprotected.vbe.
[1]
|
|
A Technique detection named "wscript.exe process was observed using "Command and Scripting Interpreter" technique" (Low) was generated when wscript.exe spawned unprotected.vbe.
[1]
[2]
|
|
|
|
A Technique detection named "suspicious patterns in AMSI content" was generated when patterns in AMSI content indicated suspicious script activity when wscript.exe executed unprotected.vbe.
[1]
|
|
|
|
|
A General detection named "SuspAmsiScript malware was detected" (Informational) was generated when unprotected.vbe script content was identified as malicious.
[1]
|
|
|
|
|
|
|
A General detection named "Trojan:VBS/JsExecutor.A" (Low) was generated when starter.vbs was created and identified as a malicious VBS executor of JScript.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious VB activity" (Low) was generated when suspicious behavior was identified during execution of starter.vbs.
[1]
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe spawned a suspicious child process.
[1]
|
|
|
|
A Tactic detection named "Execution" was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Suspicious JavaScript process" (Low) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
A General detection named "Reshelva backdoor was detected" (Low) was generated when TransBaseOdbcDriver.js was identified as malware.
[1]
|
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious system information discovery" (Low) was generated when wscript.exe made a WMI query for Win32_OperatingSystem.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious process discovery" (Low) was generated when wscript.exe made a WMI query for Win32_Process.
[1]
|
|
|
|
|
|
|
A General detection named "An active 'ScreenCapture' malware was detected" (Low) was generated when screenshot__.ps1 was dropped by Powershell and identified as a screenshot capture tool.
[1]
|
|
A Technique detection named "wscript.exe created a downloaded file" was generated when wscript.exe downloaded screenshot__.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious PowerShell process" (Low) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious screen capture activity" (Medium) was generated when powershell.exe executed CopyFromScreen().
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "wscript.exe created a downloaded file" was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
|
|
A General detection named "Trojan:Powershell/Posdyna.B!amsi" was generated when LanCradDriver.ps1 was identified as malware.
[1]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when wscript.exe downloaded LanCradDriver.ps1 from 192.168.0.4.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Suspicious PowerShell process" (Low) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious System Information Discovery" (Low) was generated when powershell.exe was used to query the Registry.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "powershell.exe process contains suspicious patterns in AMSI content associated with "Deobfuscate/Decode Files or Information" technique" was generated when powershell.exe executed functions associated with decrypting, decompressing, and base64 decoding data.
[1]
[2]
|
|
|
|
|
A Technique detection named "Native API" was generated when powershell.exe executed VirtualAlloc() and CreateThread().
[1]
|
|
|
|
|
|
|
|
|
A Tactic detection named "powershell.exe established an outbound connection with 192.168.0.4 to commonly used port 8080 (HTTP Alternative)." was generated when powershell.exe connected to 192.168.0.4 over TCP port 8080.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
A Technique detection named "Suspicious LDAP query" (Medium) was generated when powershell.exe performed suspicious LDAP queries associated with enumerating remote systems within an organization.
[1]
|
|
|
|
|
|
|
A General detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick" was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when powershell.exe downloaded rad353F7.ps1 from 192.168.0.4.
[1]
|
|
A General detection named "PSUACBypass malware was detected" (Informational) was generated when rad353F7.ps1 was dropped and identified as UAC bypass malware.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file download" (Medium) was generated when powershell.exe downloaded smrs.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Suspicious PowerShell process" (Low) was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
A Technique detection named "Suspicious PowerShell command line" (Medium) was generated when powershell.exe executed with suspicious command-line parameters.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "powershell.exe set registry value "DelegateExecute"" was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
[2]
|
|
|
|
|
A Technique detection named "Suspicious "UACBypassExp" behavior was detected" (Low) was generated when the behavior of a file was associated with bypassing UAC.
[1]
|
|
A Technique detection named "UAC bypass was detected" (Medium) was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe executed smrs.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Sensitive credential memory read" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
A Technique detection named "Password hashes dumped from LSASS memory" (Medium) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
A Technique detection named "Suspicious access to LSASS service" (Medium) was generated when smrs.exe opened and read lsass.exe.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when powershell.exe downloaded pscp.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
General
(Configuration Change (Detection Logic))
|
A General detection named "Suspicious file downloaded" (Medium) was generated when powershell.exe downloaded psexec.py from 192.168.0.4.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when powershell.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when powershell.exe downloaded tiny.exe from 192.168.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when powershell.exe executed cmd.exe with a named pipe as stdin.
[1]
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Suspicious connection to remote service" (Low) was generated when pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious logon from remote device" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
A Technique detection named "Suspicious privileged user logon" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious file copied or dropped" (Low) was generated when psexec.py was transferred from 10.0.0.6 to 10.0.0.7 via SCP.
[1]
|
|
|
|
|
A Technique detection named "Suspicious file copied or dropped" (Low) was generated when runtime was transferred from 10.0.0.6 to 10.0.0.7 via SCP.
[1]
|
|
A Technique detection named "Suspicious binary dropped and launched" (Low) was generated when a Linux binary (runtime) was transferred from 10.0.0.6 to 10.0.0.7 via SCP.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious file dropped or copied" (Low) was generated when tiny.exe was transferred from 10.0.0.6 to 10.0.0.7 via SCP.
[1]
|
|
A Technique detection named "Suspicious Windows executable on a Linux device." (Low) was generated when a Windows executable (tiny.exe) was transferred from 10.0.0.6 to 10.0.0.7 via SCP.
[1]
|
|
|
|
|
A Technique detection named "Suspicious connection to remote service" (Low) was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Suspicious logon from remote device" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious process discovery" (Low) was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
A Technique detection named "bash process performed File and Directory Discovery by invoking ls" was generated when user kmitnick executed ls -lsahR /var/.
[1]
[2]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious process collected data from local system" (Low) was generated when user kmitnick read network-diagram-financial.xml via cat.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious process collected data from local system" (Low) was generated when user kmitnick read help-desk-ticket.txt via cat.
[1]
|
|
|
|
|
A Technique detection named "Suspicious Remote System Discovery" (Low) was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
|
|
|
|
A Tactic detection named "Discovery" was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
|
|
|
|
|
A General detection named "PthToolkit.D/IngressImpacket.A" (Medium) was generated when psexec.py was identified as Impacket.
[1]
|
|
A Technique detection named "Pass-the-Hash activity detected" (Medium) was generated when psexec.py created a logon to 10.0.0.4 as user kmitnick.
[1]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Non-standard authentication with possibly stolen credentials" (High) was generated when credential theft occurred in close proximity to an attempt to validate credentials without going through a standard authentication process.
[1]
[2]
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Possible pass-the-hash authentication" (High) was generated when authentication attempted for a remote connection indicated use of Pass the Hash.
[1]
|
|
|
|
|
A Technique detection named "python3.6 communicated over SMB" was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
[2]
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote command launched" (Medium) was generated when a remote command was executed from a Linux device (10.0.0.7) to a Windows device (10.0.0.4).
[1]
|
|
|
|
|
A General detection named "SusSvcRemoteDroppedExe" (Low) was generated when a remotely registered service was used to drop a service executable.
[1]
|
|
A General detection named "'RemoteExec' malware detected" (Informational) was generated when the service executable in C:\Windows\ was identified as remote execution malware.
[1]
|
|
A Technique detection named "Suspicious remote activity" (Medium) was generated when a suspicious service was executed remotely.
[1]
|
|
A Technique detection named "Suspicious service launched" (Medium) was generated when a suspicious service was executed by services.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "File dropped and launched from remote location" (Medium) was generated when tiny.exe was dropped and executed from a remote location.
[1]
|
|
|
|
|
|
|
A Tactic detection named "Execution" was generated when cmd.exe spawned tiny.exe.
[1]
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when cmd.exe spawned tiny.exe.
[1]
|
|
|
|
|
|
|
A Tactic detection named "Reflective DLL loading detected" (Medium) was generated when tiny.exe performed suspicious memory allocations that indicated a DLL was reflectively loaded.
[1]
|
|
A General detection named "Win32/Meterpreter.gen!A" was generated when tiny.exe behavior was identified as meterpreter.
[1]
|
|
A Tactic detection named "DefenseEvasion" was generated when anomalous memory allocation was identified in the process memory of tiny.exe.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious User Account Discovery" (Low) was generated when PowerShell executed Get-ADComputer.
[1]
|
|
|
|
|
|
|
A Technique detection named "Account Discovery" was generated when PowerShell executed Get-NetUser.
[1]
[2]
|
|
A General detection named "PowerShell/PowerView.A" was generated when PowerView was identified in memory.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when tiny.exe downloaded plink.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Suspicious process launched using cmd.exe" (Low) was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
A Tactic detection named "Execution" was generated when tiny.exe spawned cmd.exe.
[1]
|
|
A Technique detection named "A malicious PowerShell cmdlet was invoked on the machine" (Medium) was generated when tiny.exe spawned cmd.exe with a named pipe as stdin.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick" was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Sucessful inbound RDP connection from ::1" was generated when an RDP session was established from the localhost over TCP port 3389.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious System Owner/User Discovery" was generated when powershell.exe executed qwinsta /server:cfo.
[1]
|
|
|
|
|
A Technique detection named "A successful windows domain account logon by kmitnick from 10.0.0.4" was generated when user kmitnick logged on to cfo (10.0.0.5).
[1]
|
|
|
|
A Technique detection named "kmitnick connected to the device through a Remote Desktop session" was generated when user kmitnick logged on to cfo (10.0.0.5) using RDP.
[1]
|
|
|
|
|
A Technique detection named "mstsc.exe established an outbound connection" was generated when an RDP session was established from 10.0.0.4 to 10.0.0.5 over TCP port 3389.
[1]
|
|
|
|
A Technique detection named "Successful inbound RDP connection" was generated when an RDP session was established from 10.0.0.4 to 10.0.0.5 over TCP port 3389.
[1]
|
|
A Technique detection named "kmitnick connected to the device through a Remote Desktop session" was generated when an RDP session was established by user kmitnick.
[1]
|
|
|
|
|
A General detection named "An active "Meterpreter" hacktool was detected" (Medium) was generated when Java-Update.exe was identified as Meterpreter.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Anomaly detected in ASEP registry" (Medium) was generated when the Java-Update subkey added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run was identified as a Registry run key Autostart Extensibility Point (ASEP).
[1]
|
|
|
|
|
A Technique detection named "Suspicious VB activity" (Low) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
A General detection named "Suspicious file or command launched from registry run keys" (Low) was generated when a Registry run key caused wscript.exe to execute Java-Update.vbs, which then spawned Java-Update.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" was generated when Java-Update.exe downloaded DefenderUpgradeExec.exe from 192.168.0.4.
[1]
|
|
|
|
|
A Technique detection named "Possible keylogging activity" (High) was generated when DefenderUpgradeExec.exe called the SetWindowsHookEx API.
[1]
|
|
|
|
A Tactic detection named "Collection" was generated when DefenderUpgradeExec.exe created a system hook.
[1]
|
|
|
|
|
A Technique detection named "Portable Executable Injection" was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "explorer.exe is attempting to take a screenshot using BitBlt API" was generated when explorer.exe executed the BitBlt API.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Suspicious file downloaded" (Medium) was generated when explorer.exe downloaded infosMin48.exe from 192.168.0.4.
[1]
|
|
|
|
A General detection named "explorer.exe created a PE file with mismatching original PE name" was generated when explorer.exe created infosMin48.exe, which had a mismatch with its original file name (webCreds.exe).
[1]
|
|
|
|
|
A Technique detection named "queried a unique vault credential from the Credential Manager" was generated when infosMin48.exe accessed a stored GitHub web credential from the Credential Manager.
[1]
|
|
|
|
A Technique detection named "enumerated vault credentials from the Credential Manager." was generated when infosMin48.exe accessed the Credential Manager.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Suspicious NetShFirewallRule behavior was detected" (Low) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Suspicious RemoteAccessToolInRunKey was detected" (Low) was generated when remote access software was added as a Registry run key.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
A Technique detection named "tvnserver.exe established inbound connection" was generated when tvnserver.exe accepted a connection from 192.168.0.4 over TCP port 5900.
[1]
[2]
|
|