Home >
Enterprise >
Participants >
McAfee >
Results
|
|
APT3 Substep numbers were updated on November 11, 2021 to accommodate changes to ATT&CK and updates to the result data structure. No results were modified in this process.
Procedure
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Procedure
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
Procedure
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Procedure
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Procedure
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Procedure
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Procedure
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Footnotes
- The vendor added a new detection for the technique.


Procedure
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria
powershell.exe executing Compress-Archive
Procedure
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Procedure
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is HTTPS
Procedure
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Procedure
Modified the Registry to remove artifacts of COM hijacking
Criteria
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Enumerated current running processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Executed API call by reflectively loading Netapi32.dll
Criteria
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Procedure
Read the Chrome SQL database file to extract encrypted credentials
Criteria
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Procedure
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria
accesschk.exe executing the CryptUnprotectedData API
Procedure
Captured and saved screenshots using PowerShell
Criteria
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Footnotes
- MVISION Endpoint would have blocked this activity.
Procedure
Captured clipboard contents using PowerShell
Criteria
powershell.exe executing Get-Clipboard
Procedure
Read data in the user's Downloads directory using PowerShell
Criteria
powershell.exe reading files in C:\Users\pam\Downloads\
Procedure
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
python.exe payload was packed with UPX
Criteria
Evidence that the file python.exe is packed
Procedure
Searched filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Scripted search of filesystem for document and media files using PowerShell
Criteria
powershell.exe executing (Get-)ChildItem
Procedure
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria
powershell.exe reading files in C:\Users\Pam\
Procedure
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria
python.exe reading the file working.zip while connected to the C2 channel
Procedure
Executed persistent service (javamtsup) on system startup
Criteria
javamtsup.exe spawning from services.exe
Procedure
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Procedure
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Procedure
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Procedure
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Procedure
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Procedure
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the computer is joined to a domain using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Procedure
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Procedure
Established Registry Run key persistence using PowerShell
Criteria
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Procedure
Executed PowerShell stager payload
Criteria
powershell.exe spawning from from the schemas ADS (powershell.exe)
Footnotes
- Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
Procedure
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria
Established network channel over port 443
Procedure
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria
Established network channel over the HTTPS protocol
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Procedure
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria
Evidence that the network data sent over the C2 channel is encrypted
Footnotes
- Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
Procedure
Enumerated the System32 directory using PowerShell
Criteria
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Procedure
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Procedure
Enumerated registered AV products using PowerShell
Criteria
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Procedure
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Procedure
Executed elevated PowerShell payload
Criteria
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Footnotes
- MVISION Endpoint would have blocked the malicious script from running in the PowerShell session due to a Real Protect machine learning model detection.


Procedure
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Procedure
Enumerated and tracked PowerShell processes using PowerShell
Criteria
powershell.exe executing Get-Process
Procedure
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria
File write of m.exe by the WinRM process (wsmprovhost.exe)
Footnotes
- MVISION Endpoint would have blocked the malicious file m.exe due to a cloud-based classification detected by Advanced Threat Protection signature.


[2]


Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- MVISION Endpoint would have blocked the malicious file m.exe due to a cloud-based classification detected by Advanced Threat Protection signature.


Procedure
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria
m.exe injecting into lsass.exe to dump credentials
Footnotes
- MVISION Endpoint would have blocked the malicious file m.exe due to a cloud-based classification detected by Advanced Threat Protection signature.


Procedure
Read and collected a local file using PowerShell
Criteria
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Procedure
Staged collected file into directory using PowerShell
Criteria
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Procedure
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Procedure
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
fodhelper.exe spawns cmd.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring
- Windows Registry


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Windows Registry
- Process Monitoring
- Script Logs


[2]


[3]


[4]


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring


[2]


Criteria
powershell.exe spawns samcat.exe as a high-integrity process (note: Due to the configuration of the environment, the adversary's process was high by default. This sub-step was evaluated based on the criteria of detecting data related to process integrity level as well as the executed mechanics of the UAC bypass)
Data Sources
- Process Monitoring
- Windows Registry


[2]


Criteria
AccountingIQ.exe queries HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\ and loads dll329.dll