The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Micro Focus  >  Results
Micro Focus: Results
Participant Configuration:  Carbanak+FIN7

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Criteria

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Criteria

winword.exe loads VBE7.DLL

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe executes unprotected.vbe

Data Sources

  • Process Monitoring
[1]

Criteria

unprotected.vbe is an encoded file

Criteria

wscript.exe decodes content and creates starter.vbs

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Criteria

wscript.exe executes starter.vbs

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Criteria

wscript.exe makes a WMI query for Win32_Process

Criteria

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
[1]

[2]

Criteria

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

[2]

Criteria

Value added to Registry is base64 encoded

Data Sources

  • Process Monitoring
  • Windows Registry
[1]

Criteria

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

[2]

Criteria

wscript.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe transmits data to 192.168.0.4 over TCP

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

[2]

Criteria

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Criteria

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Criteria

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Data Sources

  • Process Monitoring
  • Script Logs
  • Network Monitoring
[1]

[2]

Criteria

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads smrs.exe from 192.168.0.4

Data Sources

  • Network Monitoring
  • File Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe executes rad353F7.ps1

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Data Sources

  • Script Logs
  • Process Monitoring
[1]

Criteria

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Criteria

cmd.exe spawns smrs.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

smrs.exe opens and reads lsass.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads pscp.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads psexec.py from 192.168.0.4

Criteria

powershell.exe downloads runtime from 192.168.0.4

Criteria

powershell.exe downloads plink.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

powershell.exe downloads tiny.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

Pscp.exe copies psexec.py to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Pscp.exe copies runtime to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

Criteria

Pscp.exe copies tiny.exe to 10.0.0.7

Data Sources

  • Process Monitoring
[1]

Criteria

plink.exe connects over SSH (port 22) to 10.0.0.7

Data Sources

  • Network Monitoring
  • Process Monitoring
[1]

Criteria

User kmitnick logs on to bankfileserver (10.0.0.7)

Data Sources

  • Authentication Logs
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ps ax

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick executes ls -lsahR /var/

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads network-diagram-financial.xml via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick reads help-desk-ticket.txt via cat

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Process Monitoring
[1]

Criteria

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Data Sources

  • Windows Event Logs
[1]

Criteria

psexec.py connects to SMB shares on 10.0.0.4

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

cmd.exe spawns from a service executable in C:\Windows\

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe is created on 10.0.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

cmd.exe spawns tiny.exe

Data Sources

  • Process Monitoring
[1]

Criteria

tiny.exe loads shellcode from network connection into memory

Criteria

tiny.exe loads system.management.automation.dll

Criteria

PowerShell executes Get-ADComputer

Data Sources

  • Script Logs
[1]

Criteria

PowerShell executes Get-NetUser

Data Sources

  • Script Logs
  • Process Monitoring
[1]

[2]

[3]

Criteria

tiny.exe downloads plink.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

tiny.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

plink.exe transmits data to 192.168.0.4 over SSH protocol

Criteria

User kmitnick logs on to bankdc (10.0.0.4)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from the localhost over TCP port 3389

Data Sources

  • Windows Event Logs

Footnotes

  • Increased collection on localhost network activity
[1]

Criteria

powershell.exe executes qwinsta /server:cfo

Data Sources

  • Process Monitoring
[1]

Criteria

User kmitnick logs on to cfo (10.0.0.5)

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Data Sources

  • Windows Event Logs
[1]

Criteria

scp.exe downloads Java-Update.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

dir lists the contents of C:\Users\Public

Criteria

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Process Monitoring
[1]

Criteria

wscript.exe spawns Java-Update.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring
[1]

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Criteria

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

explorer.exe downloads infosMin48.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Criteria

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Data Sources

  • Process Monitoring
[1]

Criteria

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

[2]

Criteria

netsh adds Service Host rule for TCP port 5900

Criteria

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

Addition of subkeys in HKLM\Software\TightVNC\Server

Criteria

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Data Sources

  • Windows Registry
  • Process Monitoring
[1]

Criteria

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Data Sources

  • Process Monitoring
[1]

Criteria

2-list.rtf contains an embedded lnk payload that is dropped to disk

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns mshta.exe

Data Sources

  • Process Monitoring
[1]

Criteria

mshta.exe executes an embedded VBScript payload

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Criteria

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Data Sources

  • Process Monitoring

Footnotes

  • Delayed results due to detection triggering on subsequent execution step
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
[1]

Criteria

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Data Sources

  • Process Monitoring
  • DLL Monitoring
[1]

Criteria

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Data Sources

  • Windows Registry
[1]

Criteria

svchost.exe (-s Schedule) spawns Adb156.exe

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Criteria

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Data Sources

  • File Monitoring

Footnotes

  • Increased collection of WMI activity
[1]

Criteria

Adb156.exe makes a WMI query for Win32_LogicalDisk

Data Sources

  • File Monitoring

Footnotes

  • Increased collection of WMI activity
[1]

Criteria

Adb156.exe downloads stager.ps1 from 192.168.0.6

Criteria

Adb156.exe makes a WMI query for Win32_Process

Data Sources

  • File Monitoring

Footnotes

  • Increased collection of WMI activity
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe executes net view

Data Sources

  • Process Monitoring
[1]

Criteria

Adb156.exe makes a WMI query for Win32_BIOS

Data Sources

  • File Monitoring

Footnotes

  • Increased collection of WMI activity
[1]

Criteria

Adb156.exe queries the USERNAME environment variable

Criteria

Adb156.exe queries the COMPUTERNAME environment variable

Criteria

Adb156.exe makes a WMI query for Win32_ComputerSystem

Criteria

Adb156.exe makes a WMI query for Win32_OperatingSystem

Criteria

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Data Sources

  • Process Monitoring
  • File Monitoring
  • Network Monitoring
[1]

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe executes CopyFromScreen()

Data Sources

  • Script Logs
[1]

Criteria

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Criteria

Adb156.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

[3]

Criteria

cmd.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe decodes an embedded DLL payload

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Data Sources

  • Script Logs
[1]

Criteria

powershell.exe loads shellcode from network connection into memory

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

powershell.exe calls the CreateToolhelp32Snapshot() API

Criteria

powershell.exe downloads samcat.exe from 192.168.0.4

Criteria

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Data Sources

  • Process Monitoring
  • Windows Event Logs
[1]

[2]

Criteria

samcat.exe opens and reads the SAM via LSASS

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe calls the GetIpNetTable() API

Criteria

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads paexec.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Network Monitoring
  • Process Monitoring
[1]

Criteria

powershell.exe downloads hollow.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

User kmitnick logs on to itadmin (10.0.1.6)

Data Sources

  • Windows Event Logs
[1]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Windows Event Logs
[1]

[2]

Criteria

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Data Sources

  • Network Monitoring
[1]

Criteria

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Data Sources

  • Windows Event Logs
[1]

Criteria

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • Increased API call collection and enrichment from added sensor/tool
[1]

[2]

[3]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Data Sources

  • Process Monitoring
  • Network Monitoring
[1]

Criteria

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

svchost.exe spawns cmd.exe

Data Sources

  • Process Monitoring
[1]

Criteria

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

svchost.exe injects into explorer.exe with CreateRemoteThread

Criteria

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

explorer.exe injects into mstsc.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Criteria

User kmitnick logs on to accounting (10.0.1.7)

Data Sources

  • Windows Event Logs
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Windows Event Logs
  • Process Monitoring
[1]

Criteria

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Data Sources

  • Process Monitoring
  • Windows Event Logs
[1]

Criteria

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Data Sources

  • Windows Event Logs
[1]

Criteria

powershell.exe spawns powershell.exe

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe executes base64 encoded commands

Data Sources

  • Process Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • Network Monitoring
  • Process Monitoring
  • File Monitoring
[1]

Criteria

powershell.exe downloads dll329.dll from 192.168.0.4

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Data Sources

  • Process Monitoring
[1]

[2]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Process Monitoring
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • Windows Registry
[1]

Criteria

sdbinst.exe installs sdbE376.tmp shim

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • Process Monitoring
  • System Calls/API Monitoring

Footnotes

  • Increased API call collection and enrichment from added sensor/tool
[1]

Criteria

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Data Sources

  • System Calls/API Monitoring
  • Process Monitoring
[1]

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Criteria

rundll32.exe downloads debug.exe from 192.168.0.4

Data Sources

  • Process Monitoring
  • Network Monitoring
  • File Monitoring
[1]

[2]

Criteria

debug.exe calls the CreateToolhelp32Snapshot API

Criteria

rundll32.exe downloads 7za.exe from 192.168.0.4

Data Sources

  • File Monitoring
  • Process Monitoring
  • Network Monitoring
[1]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • File Monitoring
  • Process Monitoring
[1]

Criteria

7za.exe creates C:\Users\Public\log.7z

Data Sources

  • Process Monitoring
  • File Monitoring
[1]

Criteria

rundll32.exe reads and uploads log.7z to 192.168.0.4