Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
A Specific Behavior alert was generated for PowerShell executing a long, encoded command.
[1]
[2]
[3]
|
|
The capability enriched wscript.exe executing powershell.exe with a tag indicating that wscript executed code.
[1]
[2]
[3]
|
|
Telemetry showed wscript.exe executing autoupdate.vbs and subsequently powershell.exe.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed a network connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain).
[1]
|
|
|
|
|
Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain).
[1]
[2]
|
|
|
|
|
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
The capability enriched route.exe indicating that it could be used to print the routing table as part of reconnaissance.
[1]
[2]
[3]
|
|
Telemetry showed powershell.exe executing route.exe with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
The capability identified powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
|
|
Telemetry showed ipconfig.exe with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
The capability enriched powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation.
[1]
[2]
[3]
|
|
Telemetry showed powershell.exe executing whoami.exe with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
The capability enriched qprocess.exe as listing running processes and possibly a sign of reconnaissance.
[1]
[2]
[3]
|
|
Telemetry showed powershelll.exe executing qprocess.exe with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of user information.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AD group memberships.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of password policy information.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of recently opened files.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of interesting files.
[1]
|
|
|
|
|
An Indicator of Compromise alert was generated for PowerShell Empire accessing the clipboard.
[1]
[2]
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of clipboard contents.
[1]
[2]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of Windows update information.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information via a Registry query.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of services.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of available shares.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of mapped network drives.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AV solutions.
[1]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of firewall rules.
[1]
|
|
|
|
|
The capability enriched powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters.
[1]
[2]
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of network adapters.
[1]
[2]
|
|
|
|
|
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of established network connections.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net1.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing netstat.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance.
[1]
[2]
|
|
Telemetry showed powershell.exe executing reg.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent.
[1]
[2]
|
|
Telemetry showed an elevated PowerShell spawned under the context of user Bob from an unelevated parent process.
[1]
[2]
|
|
|
|
|
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
[1]
[2]
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
|
|
|
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
[1]
|
|
|
|
|
The capability enriched powershell.exe with a tag indicating .NET keylogging.
[1]
[2]
|
|
Telemetry showed powershell.exe executing the GetAsyncKeyState method, indicating keylogging.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing the GetForegroundWindow method.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing the Get-Content cmdlet on IT_tasks.txt.
[1]
|
|
|
|
|
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
|
|
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying.
[1]
|
|
|
|
|
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Conficker (10.0.0.5).
[1]
[2]
|
|
|
|
|
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force).
[1]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
[2]
|
|
|
|
|
The capability enriched the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement.
[1]
[2]
[3]
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Creeper (10.0.0.4).
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed the file creation of autoupdate.vbs.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick.
[1]
[2]
|
|
|
|
|
Telemetry showed the file creation of update.vbs.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed powershell.exe executing sc.exe with command-line arguments.
[1]
[2]
|
|
|
|
|
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which could indicate masquerading.
[1]
[2]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
|
|
Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing the type command with command-line arguments.
[1]
|
|
|
|
|
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed sc.exe execution with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed reg.exe with command-line arguments to check if terminal services were enabled.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance.
[1]
[2]
[3]
|
|
Telemetry showed reg.exe with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A Specific Behavior alert was generated for takeown.exe changing the ownership of an accessibility feature executable.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed takeown.exe executing with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A Specific Behavior alert was generated for icalcs.exe changing the permissions of an accessibility feature executable.
[1]
[2]
[3]
|
|
A General Behavior alert was generated showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe).
[1]
[2]
[3]
|
|
Telemetry showed icacls.exe executing with command-line arguments.
[1]
[2]
[3]
|
|
|
|
|
A Specific Behavior alert was generated for the modification of an accessibility features binary known to be used for privilege escalation.
[1]
[2]
|
|
The capability enriched cmd.exe as being renamed to another process and with a relevant ATT&CK Technique (Masquerading).
[1]
[2]
|
|
Telemetry showed powershell.exe overwriting magnify.exe with cmd.exe via the copy command.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing the Get-ChildItem command.
[1]
|
|
|
|
|
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin as well as a file create event.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed powershell.exe creating recycler.exe.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
|
|
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description. Telemetry also showed the creation of old.rar as the output of recycler.exe running.
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
|
|
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use.
|
|
|
|
|
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description.
[1]
|
|
|
|
|
A Specific Behavior alert was generated for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration.
|
|
Telemetry showed ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21.
|
|
|
|
|
Telemetry showed powershell.exe executing the command to delete old.rar.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing the command to delete recycler.exe.
[1]
|
|
|
|
|
A General Behavior alert was generated for magnify.exe executing as a process with a renamed executable.
[1]
[2]
[3]
|
|
The capability enriched utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor.
[1]
[2]
[3]
|
|
Telemetry showed magnify.exe executing from utilman.exe with the original file name of cmd.exe.
[1]
[2]
[3]
|
|
|
|
|
The capability enriched a Remote Desktop connection indicating a successful login to Remote Desktop Services.
[1]
|
|
|
|
|
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe).
[1]
[2]
[3]
|
|
The capability enriched whoami.exe with a tag identifying the command as enumeration.
[1]
[2]
[3]
|
|
Telemetry showed whoami.exe was executed from magnify.exe.
[1]
[2]
[3]
|
|