Step
|
ATT&CK Pattern
|
Detection Type |
Detection Note |
|
|
|
|
Telemetry showed explorer.exe executing rcs.3aka3.doc.
[1]
|
|
An MSSP detection for "Execution - User Execution" occurred containing evidence of explorer.exe executing rcs.3aka3.doc.
[1]
[2]
|
|
|
|
|
A Technique alert detection (info severity) called "Right-to-Left Override" was generated due a process event with RTLO.
[1]
[2]
[3]
[4]
|
|
An MSSP detection occurred containing evidence of the original filename: cod.3aka.scr.
[1]
[2]
[3]
|
|
Telemetry showed the right-to-left override character (U+202E) in rcs.3aka.doc and the original filename.
[1]
|
|
|
|
|
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
|
|
An MSSP detection occurred for the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed cmd.exe spawning from rcs.3aka3.doc.
[1]
|
|
A Technique alert detection (medium severity) called "Screensaver file launches shell" was generated due to cmd.exe spawning from rcs.3aka3.doc.
[1]
[2]
[3]
[4]
|
|
An MSSP detection was generated for cmd.exe spawning from rcs.3aka3.doc.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe spawning from cmd.exe.
[1]
|
|
An MSSP detection was generated for cmd.exe spawning powershell.exe.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing ChildItem.
[1]
|
|
An MSSP detection occurred showing evidence of powershell.exe executing ChildItem.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-ChildItem
[1]
|
|
An MSSP detection occurred showing evidence of powershell.exe executing ChildItem.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed powershell.exe compressing via Compress-Archive.
[1]
|
|
An MSSP detection occurred showing evidence of powershell.exe compressing via Compress-Archive.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique alert detection (critical severity) was generated for a PowerShell process executing code hidden in images via stenography.
[1]
[2]
|
|
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png.
[1]
|
|
An MSSP detection for "PowerShell script...that decodes malicious code" occurred containing evidence of the PowerShell script contained within monkey.png.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed PowerShell command to add DelegateExecute Registry Value.
[1]
[2]
[3]
|
|
An MSSP detection occurred containing evidence of addition of DelegateExecute subkey.
[1]
[2]
|
|
|
|
|
Telemetry showed control.exe creating a high integrity powershell.exe.
[1]
|
|
A MSSP detection occurred for a new high integrity PowerShell callback spawned from control.exe using sdclt.exe
[1]
|
|
|
|
|
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP port 443.
[1]
|
|
An MSSP detection occurred for powershell.exe connecting to 192.168.0.5 on TCP 443 using shellcode that loads WinInet.
[1]
|
|
|
|
|
An MSSP detection occurred for powershell.exe connecting to 192.168.0.5 on TCP 443 using shellcode that loads WinInet.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed PowerShell command to remove the DelegateExecute Registry Value.
[1]
|
|
An MSSP detection for "Defense Evasion - Modify Registry" occurred containing evidence of the deletion of the subkey.
[1]
|
|
|
|
|
An MSSP detection occurred containing evidence of a remote file write of the ZIP by PowerShell.
[1]
|
|
|
|
|
Telemetry showed a new powershell.exe spawning from powershell.exe.
[1]
|
|
|
|
|
Telemetry showed powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive.
[1]
|
|
An MSSP detection for "Defense Evasion - Deobfuscate/Decode Files or Information" occurred containing evidence of powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive.
[1]
[2]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-Process.
[1]
|
|
An MSSP detection for "Process Discovery" occurred containing evidence of powershell.exe executing Get-Process.
[1]
|
|
|
|
|
A Technique alert detection (low severity) called "SDelete64 Usage" was generated due to Sdelete64.exe deleting rcs.3aka3.doc.
[1]
[2]
[3]
[4]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
|
|
|
|
|
A Technique alert detection (low severity) called "SDelete64 Usage" was generated due to Sdelete64.exe deleting Draft.Zip.
[1]
[2]
[3]
[4]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
|
|
|
|
|
A Technique alert detection (low severity) called "SDelete64 Usage" was generated due to Sdelete64.exe deleting SysinternalsSuite.zip.
[1]
[2]
[3]
[4]
|
|
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events.
|
|
|
|
|
Telemetry showed Powershell.exe executing: $env:TEMP.
[1]
[2]
|
|
A MSSP detection for "Discovery - File and Directory Discovery" occurred containing evidence of powershell.exe executing: $env:TEMP.
[1]
|
|
|
|
|
Telemetry showed Powershell.exe executing: $env:USERNAME.
[1]
[2]
|
|
A MSSP detection for "Discovery - System Owner/User Discovery" occurred containing evidence of powershell.exe executing: $env:USERNAME.
[1]
|
|
|
|
|
Telemetry showed Powershell.exe executing: $env:COMPUTERNAME.
[1]
[2]
|
|
A MSSP detection for "Discovery - System Information Discovery" occurred containing evidence of powershell.exe executing: $env:COMPUTERNAME.
[1]
|
|
|
|
|
Telemetry showed Powershell.exe executing: $env:USERDOMAIN.
[1]
[2]
|
|
A MSSP detection for "Discovery - System System Network Configuration Discovery" occurred containing evidence of powershell.exe executing: $env:USERDOMAIN.
[1]
|
|
|
|
|
Telemetry showed Powershell.exe executing: $env:PID.
[1]
[2]
|
|
A MSSP detection for "Discovery - Process Discovery" occurred containing evidence of powershell.exe executing: $env:PID.
[1]
|
|
|
|
|
A Technique alert detection (info severity) for System Information Discovery was generated for Powershell.exe executing Gwmi Win32_OperatingSystem.
[1]
|
|
Telemetry showed powershell.exe executing: Gwmi Win32_OperatingSystem.
[1]
|
|
A MSSP detection for "Discovery - System Information Discovery" occurred containing evidence of powershell.exe executing: Gwmi Win32_OperatingSystem.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing: Get-WmiObject ... -Class AntiVirusProduct.
[1]
|
|
A MSSP detection for "Discovery - Security Software Discovery" occurred containing evidence of powershell.exe Get-WmiObject ... -Class AntiVirusProduct.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-WmiObject ... -Class FireWallProduct.
[1]
|
|
A MSSP detection for "Discovery - Security Software Discovery" occurred containing evidence of powershell.exe Get-WmiObject ... -Class FireWallProduct.
[1]
|
|
|
|
|
Telemetry showed the NetUserGetGroups API calls and dll loads.
[1]
[2]
|
|
|
|
|
Telemetry showed the NetUserGetGroups API function being loaded into PowerShell from Netapi32.dll.
[1]
[2]
|
|
|
|
|
Telemetry showed the NetUserGetLocalGroups API calls.
[1]
[2]
|
|
|
|
|
Telemetry showed the NetUserGetLocalGroups API function being loaded into PowerShell from Netapi32.dll.
[1]
[2]
|
|
|
|
|
Telemetry showed the creation of the javamtsup service.
[1]
[2]
[3]
|
|
An MSSP detection for "Persistence - New Service" occurred for the creation of the javamtsup service.
[1]
[2]
[3]
|
|
|
|
|
An MSSP detection for "Persistence - Registry Run Keys / Startup Folder" occurred for the creation of the hostui.lnk file in the Startup folder.
[1]
[2]
[3]
|
|
Telemetry showed the file write of hostui.lnk in the Startup folder.
[1]
[2]
[3]
[4]
|
|
|
|
|
An MSSP detection occurred identifying the executed accesschk.exe binary as a tool for reading the Chrome database file for credentials.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed that accesschk.exe is not the legitimate Sysinternals tool by comparing the hashes.
[1]
[2]
|
|
An MSSP detection for Masquerading occurred containing evidence that accesschk.exe is not the legitimate Sysinternals tool.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
[1]
[2]
|
|
|
|
|
A Technique alert detection (critical severity) called "Credential Dumping T1003" was generated due to powershell.exe injecting into lsass.exe.
[1]
|
|
Telemetry showed powershell.exe injecting into lsass.exe
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll.
[1]
|
|
An MSSP detection for "Collection - Screen Capture" occurred showing evidence of a PowerShell script attempting to take screenshots.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-Clipboard.
[1]
|
|
An MSSP detection for "Collection - Clipboard Data" occurred containing evidence of powershell.exe executing Get-Clipboard.
[1]
|
|
|
|
|
Telemetry showed PowerShell calling the GetAsyncKeyState API.
[1]
|
|
An MSSP detection occurred containing evidence of input capture.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption.
[1]
[2]
|
|
An MSSP detection occurred containing evidence of powershell.exe compressing and encrypting data for exfiltration.
[1]
|
|
|
|
|
Telemetry showed PoweShell Copy-Item to remote a remote adversary WebDav network share (192.168.0.4).
[1]
[2]
[3]
|
|
An MSSP detection for "Exfiltration - Exfiltration Over Alternative Protocol" occurred containing evidence of PoweShell Copy-Item to remote WebDav network share (192.168.0.4:80).
[1]
|
|
|
|
|
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389.
[1]
[2]
|
|
An MSSP detection for "Discovery - Remote System Discovery" occurred containing evidence of LDAP queries from Nashua to NewYork (Domain Controller - 10.0.0.4).
[1]
|
|
|
|
|
A Technique alert detection (info severity) called "Windows Remote Management - WinRM Usage" was generated due to a connection to remote host Scranton over port 5985.
[1]
[2]
[3]
|
|
Telemetry showed a connection to Scranton (10.0.1.4) over TCP port 5985.
[1]
[2]
[3]
|
|
|
|
|
Telemetry showed powershell.exe executing Get-Process.
[1]
[2]
|
|
An MSSP detection for "PowerShell cmdlet with Get-Process" occurred containing evidence of powershell.exe executing Get-Process.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload.
[1]
[2]
|
|
|
|
|
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam.
[1]
|
|
|
|
|
An MSSP detection for "Lateral Movement - Windows Admin Shares" occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445.
[1]
|
|
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135.
[1]
|
|
|
|
|
Telemetry showed python.exe spawned by PSEXESVC.exe.
[1]
[2]
|
|
An MSSP detection for Lateral Movement showed python.exe spawned by PSEXESVC.exe.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed python.exe executing powershell.exe
[1]
|
|
An MSSP detection for "Execution - PowerShell" occurred containing evidence of python.exe executing powershell.exe.
[1]
|
|
|
|
|
Telemetry showed powershell.exe executing ChildItem.
[1]
|
|
A MSSP detection for "Discovery - File and Directory Discovery" occurred containing evidence of powershell.exe executing ChildItem.
[1]
[2]
|
|
|
|
|
Telemetry showed Powershell.exe executing ChildItem.
[1]
|
|
A MSSP detection for "Collection - Automated Collection" occurred containing evidence of powershell.exe executing ChildItem.
[1]
[2]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique alert detection (medium severity) called "Suspicious RAR Archive Command 8 Data Encrypted (T1022)" was generated when rar.exe was used to create an encrypted zip archive.
[1]
[2]
[3]
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
|
|
|
|
|
Telemetry showed powershell.exe executing rar.exe with command-line arguments.
|
|
A Technique detection alert (medium severity) called "Suspicious RAR Archive Command 8 Data Compressed (T1002)" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression.
[1]
[2]
[3]
[4]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
A Technique detection alert (low severity) called "SDelete64 Usage" "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe.
[1]
[2]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe.
[1]
|
|
|
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip.
|
|
A Technique detection alert (low severity) called "SDelete64 Usage" "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip.
[1]
[2]
[3]
[4]
|
|
|
|
|
A Technique detection alert (low severity) called "SDelete64 Usage" "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip.
[1]
[2]
[3]
[4]
|
|
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Telemetry showed the javamtsup.exe processes executing as a persistent service.
[1]
[2]
|
|
|
|
|
Telemetry showed hostui.bat executing from a persistent Startup Menu shortcut.
[1]
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|
|
|
|
Minimum detection criteria was not met for this procedure.
|
|