TRITON
|
Step
|
ATT&CK Pattern
|
|
1.A.1
|
|
|
|
|
|
4.B.2
|
|
|
|
|
|
6.E.2
|
|
|
7.A.1
|
|
|
|
|
|
7.B.1
|
|
|
|
|
|
10.A.1
|
|
|
|
|
|
10.B.1
|
|
|
|
|
|
12.A.1
|
|
|
|
|
|
|
|
|
15.A.1
|
|
|
|
|
|
|
|
|
17.A.2
|
|
|
18.A.1
|
|
|
|
|
|
19.A.1
|
|
|
|
|
|
23.A.1
|
|
|
|
|
|
23.B.1
|
|
|
|
|
|
25.D.1
|
|
|
|
|
|
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as RDP.
[1]
[2]
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as RDP.
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
[1]
[2]
[3]
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "mstsc.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 from the control EWS (10.0.100.20) to the adversary machine (10.0.100.1) as an outbound SSH tunnel request.
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SFTP.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "sftp-server.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
[2]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the Control EWS (10.0.100.20) tunneling RDP traffic over SSH.
[1]
Evidence of an established network connection over TCP port 3389 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 3389 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as RDP.
[1]
Evidence of an established network connection over TCP port 3389 between the control EWS(10.0.100.20) and the safety EWS (10.0.100.15) via the "mstsc.exe" process as RDP. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "scp". Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via the "sftp-server.exe" process. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SFTP.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) to transfer "Install_GuardLogix.zip" over scp.
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "scp". Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) tunneling SSH.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) as SSH.
[1]
Evidence of an established network connection over TCP port 2223 between the control EWS (10.0.100.20) and the safety EWS (10.0.100.15) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) as SSH.
[1]
Evidence of an established network connection over TCP port 445 between the adversary machine (10.0.100.1) and the control EWS (10.0.100.20) via "csp.exe"[SSHD]. Successful logon as user "Engineer" may be present or as a part of the connection and process creation.