Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
|
|
A Technique detection named "User Execution" (Medium) was generated when explorer.exe spawned winword.exe when the user clicks 1-list.rtf.
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Visual Basic - T1059.005" (Medium) was generated when wscript.exe spawned unprotected.vbe.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Visual Basic - T1059.005, Obfuscated Files or Information - T1027" (Medium) was generated when wscript.exe spawned unprotected.vbe, which contained encoded content.
[1]
|
|
A General detection named "Visual Basic, Malicious Script Command" (High) was generated when wscript.exe spawned unprotected.vbe, which contained encoded content.
[1]
|
|
|
|
|
A General detection named "Visual Basic, Malicious Script Command" (High) was generated when wscript.exe spawned unprotected.vbe. The alert contained the script command to decode and create starter.vbs.
[1]
|
|
|
|
|
|
|
|
|
A General detection named "Visual Basic- Malicious Script Command" was generated when wscript.exe spawned unprotected.vbe. The alert contained the script command to decode and create TransBaseOdbcDriver.js. .
[1]
|
|
|
|
|
A Technique detection named "Visual Basic - T1059.005" (Medium) was generated when wscript.exe executed starter.vbs.
[1]
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Medium) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Javascript/Jscript - T1059.007" (Medium) was generated when cmd.exe spawned wscript.exe to execute TransBaseOdbcDriver.js.
[1]
|
|
|
|
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Javascript/Jscript, Ingress Tool Transfer" (High) was generated when The contents of Transbase0dbcDriver.js was decoded, identifying the screenshot__.ps1 from 192.168.0.4.
[1]
[2]
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Informative) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
A General detection named "Local Data Staging" (High) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
A Technique detection named "Powershell - T1059.001" (Medium) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Powershell - T1059.01, Screen Capture - T1113" (High) was generated when powershell.exe executed CopyFromScreen().
[1]
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1509.003" (Informative) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry" (High) was generated when cmd.exe spawned reg.exe to add a value to the registry key.
[1]
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Javascript/Jscript - T1059.007, Ingress Tool Transfer - T1105" was generated when wscript.exe executed TransBaseOdbcDriver.js. The script was found to contain commands to download LanCradDriver.ps1 from 192.168.0.4. .
[1]
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Informative) was generated when wscript.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Powershell - T1059.001, Obfuscated Files and Information - T1027" (High) was generated when cmd.exe spawned powershell.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "Powershell - T1059.001, Query Registry - T1012" (High) was generated when powershell.exe executed LanCradDriver.ps1. The script was found to contain a command to read HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer via Get-ItemProperty.
[1]
|
|
|
|
|
|
|
A Technique detection named "Powershell - T1059.001, Deobfuscate/Decode Files or Information - T1140" (High) was generated when powershell.exe decrypts, decompresses, and base64 decodes the Registry value into plaintext shellcode.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Execution through API - T1106, PowerShell - T1059.001" (High) was generated when powershell.exe executes the shellcode from the Registry by calling the CreateThread() API.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell - T1059.001, Remote System Discovery - T1018" (High) was generated when powershell.exe executed Get-NetComputer to query LDAP (port 389) via a network connection to 10.0.0.4.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Brute Force - T1110" (High) was generated when powershell.exe executed Find-LocalAdminAccess, which connected to multiple hosts over port 135 to check for access.
[1]
[2]
|
|
|
|
|
A Technique detection named "Valid Accounts - T1078" (Informative) was generated when user kmitnick successfully logged into bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "PowerShell - T1059.001, Bypass UAC" (High) was generated when powershell.exe executed rad353F7.ps1.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell - T1059.001, Modify Registry - T1112" (High) was generated when powershell.exe added a value to the Registry via New-Item and New-ItemProperty.
[1]
|
|
|
|
|
A Technique detection named "Bypass User Account Control - T1548.002" (Medium) was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
|
|
A Technique detection named "PowerShell - T1059.001, Bypass User Account Control - T1548.002" (High) was generated when fodhelper.exe spawned cmd.exe as a high-integrity process.
[1]
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Informative) was generated when cmd.exe executed smrs.exe.
[1]
|
|
A General detection named "Masquerading - T1036" was generated when cmd.exe executed smrs.exe. The detection identified that smrs.exe was similar in name to an expected executable.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Credential Dumping - T1003" (High) was generated when smrs.exe opened and read lsass.exe.
[1]
[2]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Medium) was generated when powershell.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
A Technique detection named "SSH - T1021.004" (Low) was generated when pscp.exe connected over SCP (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Valid Accounts " (Low) was generated when User kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
|
|
A Technique detection named "Lateral Tool Transfer - T1570" (Medium) was generated when pscp.exe copied psexec.py to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Lateral Tool Transfer - T1570" (Medium) was generated when pscp.exe copied runtime to 10.0.0.7.
[1]
|
|
|
|
|
|
|
A Technique detection named "Lateral Tool Transfer - T1570" (Medium) was generated when pscp.exe copied tiny.exe to 10.0.0.7.
[1]
|
|
|
|
|
A Technique detection named "Valid Accounts/Domain Accounts - T1078.002, SSH - T1021.004" (Low) was generated when plink.exe connected over SSH (port 22) to 10.0.0.7.
[1]
|
|
|
|
|
|
|
|
|
A Technique detection named "Valid Accounts/Domain Accounts - T1078.002, SSH - T1021.004" (Low) was generated when user kmitnick logged on to bankfileserver (10.0.0.7).
[1]
|
|
|
|
|
A Technique detection named "Process Discovery - T1057" (Low) was generated when user kmitnick executed ps ax.
[1]
|
|
|
|
|
|
|
A Technique detection named "File and Directory Discovery - T1083" (Low) was generated when user kmitnick executed ls -lsahR /var/.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Data From Local System - T1005" (Medium) was generated when user kmitnick read network-diagram-financial.xml via cat.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Data From Local System - T1005" (Medium) was generated when user kmitnick read help-desk-ticket.txt via cat.
[1]
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote System Discovery - T1018" (Medium) was generated when user kmitnick enumerated the domain controller via nslookup.
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Pass The Hash - T1550.002" (High) was generated when psexec.py created a logon to 10.0.0.4 as user kmitnick using a hash to authenticate.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "SMB/Windows Admin Shares - T1021.002" (High) was generated when psexec.py connected to SMB shares on 10.0.0.4.
[1]
|
|
|
|
|
|
|
A Technique detection named "Service Execution - T1569.002" (Medium) was generated when services.exe spawned the service executable gTerpiCf.exe.
[1]
|
|
A General detection named "Windows Service - T1543.003" (Medium) was generated when cmd.exe spawned from a service executable in C:\Windows\. .
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
A General detection named "Process Injection - T1055, Memory Pattern - Meterpreter" was generated when tiny.exe loaded a meterpreter shell into memory.
[1]
[2]
|
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "PowerShell - T1059.001, Remote System Discovery - T1018" (High) was generated when PowerShell executed Get-ADComputer.
[1]
[2]
|
|
|
|
Tactic
(Configuration Change (Detection Logic))
|
A Tactic detection named "Execution, Discovery" (High) was generated when PowerShell executed Get-NetUser.
[1]
|
|
|
|
|
|
|
|
|
|
A Technique detection named "Windows Command Shell - T1059.003" (Medium) was generated when tiny.exe spawned cmd.exe.
[1]
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Valid Accounts - T1078" (Informative) was generated when user kmitnick logged on to bankdc (10.0.0.4).
[1]
|
|
|
|
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Remote Desktop Protocol - T1021.001" was generated when a logon event by kmitnick was detected as an RDP Login.
[1]
|
|
|
|
|
A Technique detection named "System Owner/User Discovery - T1033" (High) was generated when powershell.exe executed qwinsta /server:cfo.
[1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
A Technique detection named "Registry Run Keys/Startup Folder - T1547.001" was generated when Java-Update subkey was added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
A Technique detection named "Registry Run Keys/Startup Folder - T1547.001" (High) was generated when Java-Update subkey is added to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
[1]
|
|
|
|
|
|
|
A General detection named "Process Injection - T1055" (High) was generated when wscript.exe spawned Java-Update.exe.
[1]
|
|
|
|
A Technique detection named "Visual Basic - T1059.005" (High) was generated when wscript.exe executed Java-Update.vbs.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection named "Process Injection" (High) was generated when Java-Update.exe injected into explorer.exe with CreateRemoteThread.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A Technique detection named "File Deletion - T1070.004" (High) was generated when powershell.exe deleted files from C:\Users\jsmith\AppData\Local\Temp\.
[1]
|
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
Telemetry
(Configuration Change (Data Sources))
|
|
|
|
|
|
A Technique detection named "Disable or Modify System Firewall - T1562.004" (High) was generated when netsh.exe added 'Service Host' rule to allow TCP port 5900 inbound.
[1]
|
|
|
|
|
|
|
A Technique detection named "Registry Run Keys/Startup Folder - T1547.001" (High) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
[2]
|
|
|
|
A Technique detection named "Registry Run Keys/Startup Folder - T1547.001" (High) was generated when tvncontrol subkey was added to HKLM\Software\Microsoft\CurrentVersion\Run.
[1]
|
|
|
|
Technique
(Configuration Change (Detection Logic))
|
A Technique detection named "Modify Registry - T1112" (Medium) was generated when subkeys added to HKLM\Software\TightVNC\Server via vnc-settings.reg.
[1]
|
|
|
|
|
|
|
|
|
|