The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Uptycs

Uptycs Overview
Participant Configuration:  Carbanak+FIN7


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that Uptycs has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018) - - - -
APT29 (2020) - - - -
Carbanak+FIN7 (2021)
204   across  174 substeps
62  of  174 substeps
124  of  174 substeps
127  of  174 substeps
Wizard Spider and Sandworm (2022) - - - -
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
20.B.4
Criteria:

7za.exe creates C:\Users\Public\log.7z

Detections:
5.B.5
Tux
Criteria:

User kmitnick reads network-diagram-financial.xml via cat

Detections:
5.B.6
Tux
Criteria:

User kmitnick reads help-desk-ticket.txt via cat

Detections:
9.A.5
Criteria:

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
2.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
9.A.4
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
13.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
18.A.2
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
7.A.3
Criteria:

plink.exe transmits data to 192.168.0.4 over SSH protocol

Detections:
12.A.3
Criteria:

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Detections:
1.A.10
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.2
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.6
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.8
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.5
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.3
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.A.11
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.3
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.9
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.6
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.4
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
2.B.1
Criteria:

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Detections:
3.B.1
Criteria:

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Detections:
4.B.1
Criteria:

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Detections:
4.B.2
Criteria:

powershell.exe downloads smrs.exe from 192.168.0.4

Detections:
5.A.1
Criteria:

powershell.exe downloads pscp.exe from 192.168.0.4

Detections:
5.A.2
Criteria:

powershell.exe downloads psexec.py from 192.168.0.4

Detections:
5.A.3
Criteria:

powershell.exe downloads runtime from 192.168.0.4

Detections:
5.A.4
Criteria:

powershell.exe downloads plink.exe from 192.168.0.4

Detections:
5.A.5
Criteria:

powershell.exe downloads tiny.exe from 192.168.0.4

Detections:
7.A.1
Criteria:

tiny.exe downloads plink.exe from 192.168.0.4

Detections:
7.C.1
Criteria:

scp.exe downloads Java-Update.exe from 192.168.0.4

Detections:
7.C.3
Criteria:

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Detections:
9.A.1
Criteria:

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Detections:
9.B.1
Criteria:

explorer.exe downloads infosMin48.exe from 192.168.0.4

Detections:
10.A.1
Criteria:

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Detections:
10.A.2
Criteria:

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Detections:
12.B.1
Criteria:

Adb156.exe downloads stager.ps1 from 192.168.0.6

Detections:
13.B.1
Criteria:

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Detections:
15.A.2
Criteria:

powershell.exe downloads samcat.exe from 192.168.0.4

Detections:
15.A.3
Criteria:

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Detections:
16.A.1
Criteria:

powershell.exe downloads paexec.exe from 192.168.0.4

Detections:
16.A.2
Criteria:

powershell.exe downloads hollow.exe from 192.168.0.4

Detections:
17.A.1
Criteria:

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Detections:
19.B.3
Criteria:

powershell.exe downloads dll329.dll from 192.168.0.4

Detections:
19.B.4
Criteria:

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Detections:
20.B.1
Criteria:

rundll32.exe downloads debug.exe from 192.168.0.4

Detections:
20.B.3
Criteria:

rundll32.exe downloads 7za.exe from 192.168.0.4

Detections:
3.B.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over TCP

Detections:
19.A.3
Criteria:

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Detections:
10.B.1
Criteria:

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Detections:
4.A.3
Criteria:

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Detections:
9.B.2
Criteria:

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
4.B.7
Criteria:

smrs.exe opens and reads lsass.exe

Detections:
15.A.6
Criteria:

samcat.exe opens and reads the SAM via LSASS

Detections:
4.B.5
Criteria:

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
15.A.5
Criteria:

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
1.A.5
Criteria:

wscript.exe decodes content and creates starter.vbs

Detections:
1.A.6
Criteria:

wscript.exe decodes content and creates TransBaseOdbcDriver.js

Detections:
3.B.5
Criteria:

powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode

Detections:
5.C.6
Criteria:

tiny.exe loads shellcode from network connection into memory

Detections:
11.A.5
Criteria:

mshta.exe assembles text embedded within 2-list.rtf into a JS payload

Detections:
14.A.3
Criteria:

powershell.exe decodes an embedded DLL payload

Detections:
14.A.5
Criteria:

powershell.exe loads shellcode from network connection into memory

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
10.A.3
Criteria:

netsh adds Service Host rule for TCP port 5900

Detections:
9.B.3
Criteria:

powershell.exe deletes files from C:\Users\jsmith\AppData\Local\Temp\

Detections:
17.A.2
Criteria:

srrstr.dll is not the legitimate Windows System Protection Configuration Library

Detections:
11.A.6
Criteria:

mshta.exe makes a copy of the legitimate wscript.exe as Adb156.exe

Detections:
3.A.2
Criteria:

cmd.exe spawns reg.exe to add a value under HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer

Detections:
4.B.4
Criteria:

powershell.exe adds a value under HKCU:\Software\Classes\ms-settings\shell\open\command via New-Item and New-ItemProperty

Detections:
10.A.5
Criteria:

Addition of subkeys in HKLM\Software\TightVNC\Server

Detections:
10.A.6
Criteria:

Deletion of the Java-Update subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
1.A.4
Criteria:

unprotected.vbe is an encoded file

Detections:
3.A.3
Criteria:

Value added to Registry is base64 encoded

Detections:
11.A.2
Criteria:

2-list.rtf contains an embedded lnk payload that is dropped to disk

Detections:
19.B.2
Criteria:

powershell.exe executes base64 encoded commands

Detections:
9.A.3
Criteria:

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.1
Criteria:

svchost.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.3
Criteria:

explorer.exe injects into mstsc.exe with CreateRemoteThread

Detections:
20.A.2
Criteria:

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Detections:
16.A.7
Criteria:

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Detections:
11.A.3
Criteria:

winword.exe spawns mshta.exe

Detections:
5.C.1
Criteria:

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
13.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_BIOS

Detections:
6.A.3
Criteria:

PowerShell executes Get-NetUser

Detections:
4.A.1
Criteria:

powershell.exe calls the FindFirstFileW() and FindNextFileW() APIs

Detections:
5.B.4
Tux
Criteria:

User kmitnick executes ls -lsahR /var/

Detections:
7.C.2
Criteria:

dir lists the contents of C:\Users\Public

Detections:
13.A.3
Criteria:

cmd.exe executes net view

Detections:
2.A.4
Criteria:

wscript.exe makes a WMI query for Win32_Process

Detections:
5.B.3
Tux
Criteria:

User kmitnick executes ps ax

Detections:
13.A.1
Criteria:

Adb156.exe makes a WMI query for Win32_Process

Detections:
15.A.1
Criteria:

powershell.exe calls the CreateToolhelp32Snapshot() API

Detections:
20.B.2
Criteria:

debug.exe calls the CreateToolhelp32Snapshot API

Detections:
3.B.4
Criteria:

powershell.exe reads HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty

Detections:
4.A.2
Criteria:

powershell.exe executes Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4

Detections:
5.B.7
Tux
Criteria:

User kmitnick enumerates the domain controller via nslookup, which queries for the DC (10.0.0.4) over DNS (port 53)

Detections:
6.A.2
Criteria:

PowerShell executes Get-ADComputer

Detections:
15.A.8
Criteria:

powershell.exe spawns nslookup.exe, which queries the DC (10.0.1.4) over DNS (port 53)

Detections:
2.A.2
Criteria:

wscript.exe makes WMI queries for Win32_Processor & Win32_OperatingSystem

Detections:
12.A.5
Criteria:

Adb156.exe makes a WMI query for Win32_LogicalDisk

Detections:
13.A.6
Criteria:

Adb156.exe queries the COMPUTERNAME environment variable

Detections:
13.A.9
Criteria:

Adb156.exe makes a WMI query for Win32_OperatingSystem

Detections:
12.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_NetworkAdapterConfiguration

Detections:
13.A.8
Criteria:

Adb156.exe makes a WMI query for Win32_ComputerSystem

Detections:
15.A.7
Criteria:

powershell.exe calls the GetIpNetTable() API

Detections:
7.B.1
Criteria:

powershell.exe executes qwinsta /server:cfo

Detections:
13.A.5
Criteria:

Adb156.exe queries the USERNAME environment variable

Detections:
13.A.4
Criteria:

Adb156.exe makes a WMI query for Win32_BIOS

Detections:
1.A.9
Criteria:

cmd.exe spawns wscript.exe to execute TransBaseOdbcDriver.js

Detections:
12.A.2
Criteria:

Adb156.exe loads scrobj.dll and executes sql-rat.js using Jscript

Detections:
2.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
3.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
4.B.3
Criteria:

powershell.exe executes rad353F7.ps1

Detections:
6.A.1
Criteria:

tiny.exe loads system.management.automation.dll

Detections:
13.B.3
Criteria:

cmd.exe spawns powershell.exe

Detections:
14.A.2
Criteria:

cmd.exe spawns powershell.exe

Detections:
14.A.4
Criteria:

powershell.exe executes the decoded payload using Invoke-Expression (IEX)

Detections:
15.A.4
Criteria:

powershell.exe spawns powershell.exe

Detections:
19.B.1
Criteria:

powershell.exe spawns powershell.exe

Detections:
1.A.3
Criteria:

wscript.exe executes unprotected.vbe

Detections:
1.A.7
Criteria:

wscript.exe executes starter.vbs

Detections:
8.A.1
Criteria:

wscript.exe spawns Java-Update.exe

Detections:
11.A.4
Criteria:

mshta.exe executes an embedded VBScript payload

Detections:
1.A.8
Criteria:

wscript.exe spawns cmd.exe

Detections:
2.B.2
Criteria:

wscript.exe spawns cmd.exe

Detections:
3.A.1
Criteria:

wscript.exe spawns cmd.exe

Detections:
3.B.2
Criteria:

wscript.exe spawns cmd.exe

Detections:
4.B.6
Criteria:

cmd.exe spawns smrs.exe

Detections:
5.A.6
Criteria:

powershell.exe spawns cmd.exe

Detections:
5.C.5
Criteria:

cmd.exe spawns tiny.exe

Detections:
7.A.2
Criteria:

tiny.exe spawns cmd.exe

Detections:
13.A.2
Criteria:

Adb156.exe spawns cmd.exe

Detections:
13.B.2
Criteria:

Adb156.exe spawns cmd.exe

Detections:
14.A.1
Criteria:

Adb156.exe spawns cmd.exe

Detections:
16.A.3
Criteria:

powershell.exe spawns cmd.exe

Detections:
17.A.3
Criteria:

svchost.exe spawns cmd.exe

Detections:
1.A.2
Criteria:

winword.exe loads VBE7.DLL

Detections:
11.A.7
Criteria:

winword.exe spawns verclsid.exe and loads VBE7.DLL, VBEUI.DLL, and VBE7INTL.DLL

Detections:
3.B.6
Criteria:

powershell.exe executes the shellcode from the Registry by calling the CreateThread() API

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
5.C.3
Criteria:

cmd.exe spawns from a service executable in C:\Windows\

Detections:
16.A.6
Criteria:

Windows service started PAExec-{PID}-HOTELMANAGER.exe, which executes hollow.exe

Detections:
1.A.1
Criteria:

explorer.exe spawns winword.exe when user clicks 1-list.rtf

Detections:
11.A.1
Criteria:

explorer.exe spawns winword.exe when user clicks 2-list.rtf

Detections:
2.B.5
Criteria:

wscript.exe reads and uploads screenshot__.png to 192.168.0.4

Detections:
13.B.5
Criteria:

Adb156.exe reads and uploads image.png to 192.168.0.6 via MSSQL transactions

Detections:
20.B.5
Criteria:

rundll32.exe reads and uploads log.7z to 192.168.0.4

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
5.A.9
Tux
Criteria:

Pscp.exe copies psexec.py to 10.0.0.7

Detections:
5.A.10
Tux
Criteria:

Pscp.exe copies runtime to 10.0.0.7

Detections:
5.A.11
Tux
Criteria:

Pscp.exe copies tiny.exe to 10.0.0.7

Detections:
5.C.4
Criteria:

tiny.exe is created on 10.0.0.4

Detections:
7.A.5
Criteria:

RDP session from the localhost over TCP port 3389

Detections:
7.B.3
Criteria:

RDP session from 10.0.0.4 to 10.0.0.5 over TCP port 3389

Detections:
19.A.2
Criteria:

RDP session from 10.0.1.6 to 10.0.1.7 over TCP port 3389

Detections:
5.C.2
Criteria:

psexec.py connects to SMB shares on 10.0.0.4

Detections:
16.A.5
Criteria:

SMB session from 10.0.1.5 to 10.0.1.6 over TCP port 135 or 445 with admin shares accessed

Detections:
5.A.7
Tux
Criteria:

Pscp.exe connects over SCP (port 22) to 10.0.0.7

Detections:
5.B.1
Tux
Criteria:

plink.exe connects over SSH (port 22) to 10.0.0.7

Detections:
5.C.1
Criteria:

psexec.py creates a logon to 10.0.0.4 as user kmitnick

Detections:
7.C.4
Criteria:

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
10.A.4
Criteria:

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Detections:
19.B.5
Criteria:

sdbinst.exe installs sdbE376.tmp shim

Detections:
20.A.1
Criteria:

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:
4.B.5
Criteria:

fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
15.A.5
Criteria:

powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)

Detections:
7.C.4
Criteria:

Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Detections:
10.A.4
Criteria:

msiexec.exe adds the tvncontrol subkey in HKLM\Software\Microsoft\CurrentVersion\Run

Detections:
19.B.5
Criteria:

sdbinst.exe installs sdbE376.tmp shim

Detections:
20.A.1
Criteria:

AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll

Detections:
17.A.4
Criteria:

SystemPropertiesAdvanced.exe executes code in the illegitimate srrstr.dll

Detections:
9.A.3
Criteria:

Java-Update.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.1
Criteria:

svchost.exe injects into explorer.exe with CreateRemoteThread

Detections:
18.A.3
Criteria:

explorer.exe injects into mstsc.exe with CreateRemoteThread

Detections:
20.A.2
Criteria:

AccountingIQ.exe injects into SyncHost.exe with CreateRemoteThread

Detections:
16.A.7
Criteria:

hollow.exe spawns svchost.exe and unmaps its memory image via: NtUnmapViewOfSection

Detections:
11.A.8
Criteria:

mshta.exe loads taskschd.dll and creates a scheduled task to execute in 5 minutes

Detections:
12.A.1
Criteria:

svchost.exe (-s Schedule) spawns Adb156.exe

Detections:
4.A.4
Criteria:

powershell.exe successfully logs in to host 10.0.0.4 or 10.0.0.5 as user kmitnick

Detections:
5.A.8
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
5.B.2
Tux
Criteria:

User kmitnick logs on to bankfileserver (10.0.0.7)

Detections:
7.A.4
Criteria:

User kmitnick logs on to bankdc (10.0.0.4)

Detections:
7.B.2
Criteria:

User kmitnick logs on to cfo (10.0.0.5)

Detections:
16.A.4
Criteria:

User kmitnick logs on to itadmin (10.0.1.6)

Detections:
19.A.1
Criteria:

User kmitnick logs on to accounting (10.0.1.7)

Detections:

Results Graphs

Detections Type Distribution by Step


Detections Type Distribution by Sub-step


Detection Type Frequency by Sub-step