Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
Telemetry showed explorer.exe executing rcs.3aka3.doc.
[1]
|
|
An MSSP detection contained evidence of explorer.exe executing rcs.3aka3.doc.
[1]
|
|
A Tactic alert detection called "ProcessCreationExtra" was generated for explorer.exe executing rcs.3aka3.doc.
[1]
|
|
|
|
|
A Technique alert detection called "Masquerading" was generated for "SuspiciousCharInPath" observed on rcs.3aka.doc.
[1]
|
|
An MSSP detection for the RTLO character in [?]cod.3aka3.scr was used to masquerade as rcs.3aka.doc.
[1]
|
|
|
|
|
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234.
[1]
|
|
An MSSP detection was generated for rcs.3aka3.doc connecting to 192.168.0.5 on port 1234.
[1]
|
|
A Technique alert detection for "T1065 - Uncommonly Used Port" was generated for rcs.3aka3.doc due to TCP port 1234 being used.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
[2]
|
|
|
|
|
Telemetry showed cmd.exe spawning from rcs.3aka3.doc.The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1059" contained evidence of cmd.exe spawning from rcs.3aka3.doc.
[1]
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "ProcessCreationExtra" was generated for rcs.3aka3.doc spawning cmd.exe.
[1]
|
|
|
|
|
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1086" contained evidence of powershell.exe spawning from cmd.exe.
[1]
[2]
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "ProcessCreationExtra" was generated for powershell.exe spawning from cmd.exe.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "File Enumeration" occurred containing evidence of PowerShell searching the filesystem.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "File Enumeration" under "Discovery {T1083}" was generated when powershell.exe executed Get-ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "InteractivePSCommand" contained evidence of powershell.exe executing ChildItem.
[1]
|
Technique
(Delayed (Processing), Alert, Correlated)
|
A Technique alert detection for "Automated Collection" was generated on powershell.exe executing Get-ChildItem after a short delay. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Telemetry
(Configuration Change (Detections), Correlated)
|
Telemetry showed powershell.exe reading files from C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "PowerShell is seen enumerating the system and searching for files" contained evidence of file reads to C:/Users/Pam/*.
[1]
|
Technique
(Correlated, Configuration Change (Detections), Alert)
|
A Technique alert detection for "Data from Local System {T1005}" was generated on powershell.exe executing Get-ChildItem and reading C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "Data Compressed. MITRE Exfiltration {T1002}" was generated on powershell.exe compressing via Compress-Archive. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
[2]
|
|
An MSSP detection occurred for powershell.exe compressing via Compress-Archive.
[1]
[2]
[3]
|
|
|
|
|
An MSSP detection for the file creation of Draft.zip was received. The alert stated that "C:\Users\pam\AppData\Roaming\Draft.zip" file was created.
[1]
|
|
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1041" containing evidence of a cod.3aka3.scr reading Draft.zip and a network connection to C2 (192.168.0.5).
[1]
|
|
|
|
|
Telemetry showed rcs.3aka3.doc creating new file monkey.png. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
[3]
|
|
An MSSP detection for "T1105" occurred containing evidence of rcs.3aka3.doc creating monkey.png.
[1]
|
|
|
|
|
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1027" occurred containing evidence of the PowerShell script contained within monkey.png.
[1]
|
Technique
(Alert, Configuration Change (Detections), Correlated)
|
A Technique alert detection for "Steganography" was generated when identifying the PowerShell script contained within monkey.png. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed addition of the DelegateExecute Registry Value. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1122" occurred containing evidence of DelegateExecute subkey being added to the Registry.
[1]
|
|
|
|
|
Telemetry showed a new high integrity PowerShell callback spawning from control.exe (spawned from sdclt.exe). The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1088" occurred containing evidence of new high integrity PowerShell callback spawning from control.exe (spawned from sdclt.exe).
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "TokenManipulation" was generated when user Pam targeted user "NT AUTHORITY\SYSTEM" in conjunction with "setcbprivilege" usage. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed powershell.exe connecting outbound to 192.168.0.5 on TCP 443. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1043" occurred containing evidence of powershell.exe connecting to 192.168.0.5 on TCP 443.
[1]
|
|
|
|
|
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1071" occurred containing evidence of PowerShell process exchanging data with 192.168.0.5 over HTTPS.
[1]
|
|
|
|
|
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1032" occurred containing evidence of the PowerShell process exchanging data with 192.168.0.5 over HTTPS.
[1]
|
|
|
|
|
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1112" occurred containing evidence of command subkey being removed from the Registry.
[1]
|
|
|
|
|
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1105" occurred containing evidence of the file write of the ZIP by PowerShell.
[1]
|
|
|
|
Tactic
(Alert, Correlated)
|
A Tactic alert detection called "ProcessCreationExtra" was generated for powershell.exe executing powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1086" occurred containing evidence of a new interactive session of PowerShell being created.
[1]
|
|
|
|
|
An MSSP detection for "T1140" occurred containing evidence of the extracted root folder being created, and the contents extracted.
[1]
|
|
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
|
|
Telemetry
(Configuration Change (UX), Correlated)
|
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1057" occurred containing evidence of PowerShell listing current process via "Get-Process".
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "ProcessEnumeration" under "Discovery {T1057}" was generated for PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip).
[1]
[2]
[3]
|
|
|
|
|
An MSSP detection occurred for "basic discovery" containing evidence of $env:TEMP usage.
[1]
|
|
|
|
|
An MSSP detection for "basic discovery" containing evidence of $env:USERNAME usage.
[1]
|
|
|
|
|
An MSSP detection for "basic discovery" containing evidence of $env:COMPUTERNAME usage.
[1]
|
|
|
|
|
An MSSP detection for "basic discovery" containing evidence of $env:USERDOMAIN usage.
[1]
|
|
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "ProcessEnumeration" was generated when PowerShell accessed $PID. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed powershell.exe executing: $PID.
|
|
An MSSP detection for "basic discovery" containing evidence of $PID usage.
[1]
|
|
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "Local Environment Information Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing Win32_OperatingSystem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem.
|
|
A MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing Win32_OperatingSystem.
[1]
|
|
|
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "Security Software Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing AntiVirusProduct. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed powershell.exe executing: Get-WmiObject ... -Class AntiVirusProduct.
|
|
An MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing AntiVirusProduct.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing: Get-WmiObject ... -Class FireWallProduct.
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "Security Software Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing FireWallProduct. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing FireWallProduct.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
An MSSP detection occurred for PowerShell initiating a new persistence service "javamtsup".
[1]
[2]
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "ServiceCreate" under "Persistence {T1084}" was generated due to "javamtsup" being added to the "...\Services" registry path. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
[3]
|
|
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "StartupDirectory" under was generated due to the file write of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry showed the creation of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1060" occurred containing evidence of PowerShell placing LNK in startup folder, gaining persistence to launch hostui.bat.
[1]
[2]
|
|
|
|
|
An MSSP detection for "T1081" occurred containing evidence of accesschk.exe reading the Chrome database file for credentials.
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "BrowserInfoStealing" under "Collection {T1213}" was generated when accesschk.exe read the Chrome database file for credentials. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash value provided. This can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1036" occurred containing evidence of accesschk.exe with an MD5 value which was also found publicly and is known to be malicious.
[1]
|
|
|
|
|
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
An MSSP detection for "T1003" occurred containing evidence of credential dumping as indicated by "Infostealer."
[1]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "SensitiveMemoryAccess" under "Credential Access {T1003}" was generated when PowerShell read sensitive information from LSASS. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
Telemetry shows a remote process injection into lsass.exe by powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Technique
(Alert, Configuration Change (Detections), Correlated)
|
A Technique alert detection for "Screenshot" generated due to CopyFromScreen API execution. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1113" occurred containing evidence of System.Drawing.dll being loaded and Invoke-ScreenCapture called.
[1]
[2]
|
|
|
|
Telemetry
(Configuration Change (UX), Correlated)
|
Telemetry showed powershell.exe executing Get-Clipboard. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Technique
(Configuration Change (Detections), Correlated, Alert)
|
A Technique alert detection for "ClipBoardAccess" was generated due to PowerShell executing Get-Clipboard. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Technique
(Correlated, Alert, Configuration Change (Detections))
|
A Technique alert detection for "SuspiciousKeylogging" was generated due to GetAsyncKeyState execution. The detection was correlated to a parent grouping of malicious activity.
[1]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell calling the GetAsyncKeyState API. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1056" occurred containing evidence of GetAsyncKeyState API calls and Get-Keystrokes function call.
[1]
[2]
|
|
|
|
None
(Delayed (Manual), Host Interrogation)
|
Minimum detection criteria was not met for this procedure.
[1]
|
Technique
(Alert, Correlated, Configuration Change (Detections))
|
A Technique alert detection for "Data from Local System {T1005}" was generated due to powershell.exe reading files from C:\Users\pam\Downloads. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "exfiltrate" occurred containing evidence of OfficeSupplies.7z being created.
[1]
|
|
|
|
Telemetry
(Configuration Change (UX), Correlated)
|
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "Exfiltrate" occurred containing evidence of Compress-7zip compressing and encrypting the download directory with 7z using the password "lolol."
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of exfiltration via WebDav.
[1]
[2]
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PoweShell Copy-Item to remote a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed powershell.exe establishing a connection identified as LDAP over port 389 to NewYork (10.0.0.4). The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
An MSSP detection for "T1018" occurred containing evidence of Ad-Search function definition along with LDAP network connection to NewYork (10.0.0.4).
[1]
|
|
|
|
|
A Technique alert detection for "WinRMSession" under "Lateral Movement {T1028}" was generated when a connection to remote host Scranton (10.0.1.4) from host Nashua (10.0.1.6) over port 5985 using the wsman protocol was issued.
[1]
[2]
|
|
An MSSP detection for "T1028" occurred containing evidence of Lateral Movement via WinRM with wsman network connection to host Scranton (10.0.1.4) over port 5985.
[1]
[2]
|
|
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
A Technique alert detection for "ProcessEnumeration" under "Discovery {T1057}" was generated due to Invoke-Command executing Get-Process.
[1]
|
|
An MSSP detection for "ProcessEnumeration" occurred containing evidence of WinRM alerting on Get-Process.
[1]
|
|
|
|
|
Telemetry showed the file create event of python.exe.
[1]
|
|
An MSSP detection for "T1105" occurred containing evidence of python.exe file creation.
[1]
|
Tactic
(Correlated, Alert)
|
A Tactic alert detection for "AdminShareAccess" was generated when python.exe was written from host Nashua (10.0.1.6) to the ADMIN$ share on host Scranton (10.0.1.4), indicating Lateral Movement. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
A Technique alert detection for "UPXProcess" under "Defense Evasion {T1045}" was generated due to python.exe being packed with UPX.
[1]
|
|
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload.
[1]
|
|
|
|
|
A Technique alert detection "UserLogin" under "Valid Accounts {T1078}" showed a valid logon on Scranton (10.0.1.4) as user Pam.
[1]
|
|
|
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135 identified as RPC.
[1]
[2]
|
|
An MSSP detection for "T1077" occurred containing evidence of PsExec64.exe establishing SMB session to Scranton's IPC$ share, and writes PSEXESVC.exe.
[1]
[2]
|
Technique
(Correlated, Alert)
|
A Technique alert detection for "AdminShareAccess" was generated due to PSEXESVC.exe being copied to $ADMIN on Scranton (10.0.1.4). The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
A Tactic alert detection called "ProcessCreationExtra" was generated due to PSEXESVC.exe executing python.exe.
[1]
|
|
An MSSP detection for "T1035" occurred containing evidence of PsExec executing python.exe.
[1]
|
|
|
|
|
Telemetry showed a file creation event for python.exe creating rar.exe.
[1]
|
|
An MSSP detection for "Python spawns PowerShell which then writes rar.exe and sdelete64.exe" occurred containing evidence of file write events for rar.exe and sdelete64.exe.
[1]
|
|
|
|
|
Telemetry showed File Creation event for python.exe creating sdelete64.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "Python spawns PowerShell which then writes Rar.exe and sdelete64.exe" occurred containing evidence of file write events for rar.exe and sdelete64.exe.
[1]
|
|
|
|
|
Telemetry showed python.exe executing powershell.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1086" occurred containing evidence of python.exe executing powershell.exe.
[1]
|
|
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1083" occurred containing evidence of enumerating directories in search for specific files. The function "ChildItem" is observed.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "File Enumeration" under "Discovery {T1083}" was generated when powershell.exe executed Get-ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed PowerShell executing ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1119" occurred containing evidence of enumerating directories in search for specific files. The function "ChildItem" is observed.
[1]
|
Technique
(Configuration Change (UX), Correlated, Alert)
|
A Technique alert detection called "Automated Collection" was generated when powershell.exe accessed multiple files when using ChildItem. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Technique
(Configuration Change (Detections), Correlated, Alert)
|
A Technique alert detection for "OpenedFile" under "Data from Local System {T1005}" was generated when a known malicious powershell.exe read files in C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity.
[1]
[2]
|
|
|
|
|
Telemetry showed a File Creation event for powershell.exe creating working.zip.The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1074" occurred containing evidence of working.zip creation from file creation events.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1022" occurred containing evidence of rar.exe being executed with an encryption password parameter passed.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "T1002" occurred containing evidence of powershell.exe executing rar.exe.
[1]
|
Technique
(Alert, Correlated)
|
A Technique alert detection called "Compression" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
Telemetry
(Correlated, Configuration Change (UX))
|
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over TCP port 8443).
[1]
[2]
|
|
An MSSP detection for "T1041" occurred containing evidence of the C2 instance of Python.exe being observed establishing a network connection to 192.168.0.4 on port 8443 (https).
[1]
[2]
|
|
|
|
|
Telemetry showed a file deletion event for secure file delete deleting rar.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to Desktop\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
|
|
|
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip.
[1]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
|
|
|
Telemetry showed a file deletion event on "Windows Command Processor" deleting sdelete64.exe. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|
An MSSP detection for "executing a deletion" occurred containing evidence of cmd.exe being run to delete sdelete64.exe.
[1]
|
|
|
|
|
Telemetry showed javamtsup.exe with parent process services.exe.
[1]
|
|
An MSSP detection for "T1035" occurred containing evidence of javamtsup.exe with parent process services.exe.
[1]
|
|
A Tactic alert detection called "ProcessCreationExtra" was generated when services.exe executed javamtsup.exe.
[1]
|
|
|
|
|
An MSSP detection for "startup persistence" occurred containing evidence of hostui.lnk executing from Startup Folder.
[1]
|
Technique
(Alert, Configuration Change (Detections))
|
A Technique alert detection for "StartedFromLnk" under "Registry Run Keys / Startup Folder {T1060}" was generated due to hostui.lnk triggering on login from the StartUp Folder.
[1]
|
|
Telemetry showed hostui.lnk executing from the Startup Folder.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
Technique
(Alert, Correlated)
|
A Technique alert detection for "TokenMismatch" under "Privilege Escalation {T1134}" was generated when the parent process's, hostui.exe, token did not match the child token process's, powershell.exe, token. The detection was correlated to a parent grouping of malicious activity.
[1]
|
|