2.A.4
Procedure:
Compressed and stored files into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe executing Compress-Archive
Detections:
2.A.5
Procedure:
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell
Criteria:
powershell.exe creating the file draft.zip
Detections:
7.B.2
Procedure:
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
Criteria:
powershell.exe creating the file OfficeSupplies.7z
Detections:
7.B.3
Procedure:
Encrypted data from the user's Downloads directory using PowerShell
Criteria:
powershell.exe executing Compress-7Zip with the password argument used for encryption
Detections:
9.B.6
Procedure:
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Detections:
9.B.7
Procedure:
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe
Criteria:
powershell.exe executing rar.exe
Detections:
17.C.1
Procedure:
Compressed a staging directory using PowerShell
Criteria:
powershell.exe executing the ZipFile.CreateFromDirectory .NET method
Detections:
2.A.2
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
9.B.3
Procedure:
Scripted search of filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
7.A.2
Procedure:
Captured clipboard contents using PowerShell
Criteria:
powershell.exe executing Get-Clipboard
Detections:
9.B.5
Procedure:
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell
Criteria:
powershell.exe creating the file working.zip
Detections:
17.B.2
Procedure:
Staged collected file into directory using PowerShell
Criteria:
powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Detections:
2.A.3
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
7.B.1
Procedure:
Read data in the user's Downloads directory using PowerShell
Criteria:
powershell.exe reading files in C:\Users\pam\Downloads\
Detections:
9.B.4
Procedure:
Recursively collected files found in C:\Users\Pam\ using PowerShell
Criteria:
powershell.exe reading files in C:\Users\Pam\
Detections:
17.B.1
Procedure:
Read and collected a local file using PowerShell
Criteria:
powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Detections:
17.A.1
Procedure:
Dumped messages from the local Outlook inbox using PowerShell
Criteria:
outlook.exe spawning from svchost.exe or powershell.exe
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
7.A.1
Procedure:
Captured and saved screenshots using PowerShell
Criteria:
powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Detections:
3.B.4
Procedure:
Used HTTPS to transport C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is HTTPS
Detections:
11.A.14
Procedure:
Used HTTPS to transport C2 (192.168.0.4) traffic
Criteria:
Established network channel over the HTTPS protocol
Detections:
3.B.3
Procedure:
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443
Criteria:
Established network channel over port 443
Detections:
11.A.13
Procedure:
Established C2 channel (192.168.0.4) via PowerShell payload over port 443
Criteria:
Established network channel over port 443
Detections:
3.B.5
Procedure:
Used HTTPS to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
11.A.15
Procedure:
Used HTTPS to encrypt C2 (192.168.0.4) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
1.A.4
Procedure:
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
Criteria:
Evidence that the network data sent over the C2 channel is encrypted
Detections:
3.A.1
Procedure:
Dropped stage 2 payload (monkey.png) to disk
Criteria:
The rcs.3aka3.doc process creating the file monkey.png
Detections:
4.A.1
Procedure:
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
Criteria:
powershell.exe creating the file SysinternalsSuite.zip
Detections:
8.B.1
Procedure:
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria:
The file python.exe created on Scranton (10.0.1.4)
Detections:
9.A.1
Procedure:
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file rar.exe
Detections:
9.A.2
Procedure:
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)
Criteria:
python.exe creating the file sdelete64.exe
Detections:
14.B.3
Procedure:
Downloaded and dropped Mimikatz (m.exe) to disk
Criteria:
powershell.exe downloading and/or the file write of m.exe
Detections:
1.A.3
Procedure:
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234
Criteria:
Established network channel over port 1234
Detections:
18.A.1
Procedure:
Mapped a network drive to an online OneDrive account using PowerShell
Criteria:
net.exe with command-line arguments then making a network connection to a public IP over port 443
Detections:
6.A.2
Procedure:
Executed the CryptUnprotectedData API call to decrypt Chrome passwords
Criteria:
accesschk.exe executing the CryptUnprotectedData API
Detections:
7.A.3
Procedure:
Captured user keystrokes using the GetAsyncKeyState API
Criteria:
powershell.exe executing the GetAsyncKeyState API
Detections:
14.B.4
Procedure:
Dumped plaintext credentials using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
16.D.2
Procedure:
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)
Criteria:
m.exe injecting into lsass.exe to dump credentials
Detections:
6.C.1
Procedure:
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe
Criteria:
powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Detections:
6.A.1
Procedure:
Read the Chrome SQL database file to extract encrypted credentials
Criteria:
accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Detections:
6.B.1
Procedure:
Exported a local certificate to a PFX file using PowerShell
Criteria:
powershell.exe creating a certificate file exported from the system
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
4.A.3
Procedure:
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
Criteria:
powershell.exe executing Expand-Archive
Detections:
11.A.10
Procedure:
Decoded an embedded DLL payload to disk using certutil.exe
Criteria:
certutil.exe decoding kxwn.lock
Detections:
14.B.6
Procedure:
Read and decoded Mimikatz output from a WMI class property using PowerShell
Criteria:
powershell.exe executing Get-WmiInstance
Detections:
11.A.2
Procedure:
Executed an alternate data stream (ADS) using PowerShell
Criteria:
powershell.exe executing the schemas ADS via Get-Content and IEX
Detections:
4.B.2
Procedure:
Deleted rcs.3aka3.doc on disk using SDelete
Criteria:
sdelete64.exe deleting the file rcs.3aka3.doc
Detections:
4.B.3
Procedure:
Deleted Draft.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file draft.zip
Detections:
4.B.4
Procedure:
Deleted SysinternalsSuite.zip on disk using SDelete
Criteria:
sdelete64.exe deleting the file SysinternalsSuite.zip
Detections:
9.C.1
Procedure:
Deleted rar.exe on disk using SDelete
Criteria:
sdelete64.exe deleting the file rar.exe
Detections:
9.C.2
Procedure:
Deleted working.zip (from Desktop) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \Desktop\working.zip
Detections:
9.C.3
Procedure:
Deleted working.zip (from AppData directory) on disk using SDelete
Criteria:
sdelete64.exe deleting the file \AppData\Roaming\working.zip
Detections:
9.C.4
Procedure:
Deleted SDelete on disk using cmd.exe del command
Criteria:
cmd.exe deleting the file sdelete64.exe
Detections:
12.A.2
Procedure:
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
Criteria:
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Detections:
6.A.3
Procedure:
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Criteria:
Evidence that accesschk.exe is not the legitimate Sysinternals tool
Detections:
1.A.2
Procedure:
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Criteria:
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)
Detections:
3.C.1
Procedure:
Modified the Registry to remove artifacts of COM hijacking
Criteria:
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
14.A.3
Procedure:
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Criteria:
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Detections:
14.B.5
Procedure:
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
Criteria:
powershell.exe executing Set-WmiInstance
Detections:
17.C.2
Procedure:
Prepended the GIF file header to a compressed staging file using PowerShell
Criteria:
powershell.exe executing Set-Content
Detections:
8.B.2
Procedure:
python.exe payload was packed with UPX
Criteria:
Evidence that the file python.exe is packed
Detections:
3.A.2
Procedure:
Embedded PowerShell payload in monkey.png using steganography
Criteria:
Evidence that a PowerShell payload was within monkey.png
Detections:
20.A.1
Procedure:
Executed Run key persistence payload on user login using RunDll32
Criteria:
rundll32.exe executing kxwn.lock
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
2.A.1
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
4.C.1
Procedure:
Enumerated user's temporary directory path using PowerShell
Criteria:
powershell.exe executing $env:TEMP
Detections:
9.B.2
Procedure:
Searched filesystem for document and media files using PowerShell
Criteria:
powershell.exe executing (Get-)ChildItem
Detections:
11.A.9
Procedure:
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell
Criteria:
powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
Detections:
12.A.1
Procedure:
Enumerated the System32 directory using PowerShell
Criteria:
powershell.exe executing (gci ((gci env:windir).Value + '\system32')
Detections:
11.A.5
Procedure:
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Detections:
4.C.9
Procedure:
Enumerated user's domain group membership via the NetUserGetGroups API
Criteria:
powershell.exe executing the NetUserGetGroups API
Detections:
4.C.11
Procedure:
Enumerated user's local group membership via the NetUserGetLocalGroups API
Criteria:
powershell.exe executing the NetUserGetLocalGroups API
Detections:
4.B.1
Procedure:
Enumerated current running processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
4.C.5
Procedure:
Enumerated the current process ID using PowerShell
Criteria:
powershell.exe executing $PID
Detections:
8.A.3
Procedure:
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
11.A.8
Procedure:
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_Process
Detections:
13.D.1
Procedure:
Enumerated running processes using the CreateToolhelp32Snapshot API
Criteria:
powershell.exe executing the CreateToolhelp32Snapshot API
Detections:
14.B.2
Procedure:
Enumerated and tracked PowerShell processes using PowerShell
Criteria:
powershell.exe executing Get-Process
Detections:
12.C.1
Procedure:
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
12.C.2
Procedure:
Enumerated installed software via the Registry (Uninstall key) using PowerShell
Criteria:
powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Detections:
8.A.1
Procedure:
Enumerated remote systems using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Detections:
16.A.1
Procedure:
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
Criteria:
powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Detections:
4.C.7
Procedure:
Enumerated anti-virus software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct
Detections:
4.C.8
Procedure:
Enumerated firewall software using PowerShell
Criteria:
powershell.exe executing Get-WmiObject ... -Class FireWallProduct
Detections:
12.B.1
Procedure:
Enumerated registered AV products using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Detections:
4.C.3
Procedure:
Enumerated the computer hostname using PowerShell
Criteria:
powershell.exe executing $env:COMPUTERNAME
Detections:
4.C.6
Procedure:
Enumerated the OS version using PowerShell
Criteria:
powershell.exe executing Gwmi Win32_OperatingSystem
Detections:
11.A.4
Procedure:
Enumerated computer manufacturer, model, and version information using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
Detections:
13.A.1
Procedure:
Enumerated the computer name using the GetComputerNameEx API
Criteria:
powershell.exe executing the GetComputerNameEx API
Detections:
4.C.4
Procedure:
Enumerated the current domain name using PowerShell
Criteria:
powershell.exe executing $env:USERDOMAIN
Detections:
11.A.7
Procedure:
Checked that the computer is joined to a domain using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.B.1
Procedure:
Enumerated the domain name using the NetWkstaGetInfo API
Criteria:
powershell.exe executing the NetWkstaGetInfo API
Detections:
4.C.2
Procedure:
Enumerated the current username using PowerShell
Criteria:
powershell.exe executing $env:USERNAME
Detections:
11.A.6
Procedure:
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
Detections:
13.C.1
Procedure:
Enumerated the current username using the GetUserNameEx API
Criteria:
powershell.exe executing the GetUserNameEx API
Detections:
15.A.1
Procedure:
Enumerated logged on users using PowerShell
Criteria:
powershell.exe executing $env:UserName
Detections:
16.B.1
Procedure:
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API
Criteria:
powershell.exe executing the ConvertSidToStringSid API
Detections:
11.A.3
Procedure:
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell
Criteria:
powershell.exe executing a Get-WmiObject query for Win32_BIOS
Detections:
1.B.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from cmd.exe
Detections:
4.A.2
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from powershell.exe
Detections:
9.B.1
Procedure:
Spawned interactive powershell.exe
Criteria:
powershell.exe spawning from python.exe
Detections:
11.A.12
Procedure:
Executed PowerShell stager payload
Criteria:
powershell.exe spawning from from the schemas ADS (powershell.exe)
Detections:
20.A.3
Procedure:
Executed PowerShell payload from WMI event subscription persistence
Criteria:
SYSTEM-level powershell.exe spawned from the powershell.exe
Detections:
1.B.1
Procedure:
Spawned interactive cmd.exe
Criteria:
cmd.exe spawning from the rcs.3aka3.doc process
Detections:
4.C.10
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Detections:
4.C.12
Procedure:
Executed API call by reflectively loading Netapi32.dll
Criteria:
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Detections:
10.B.2
Procedure:
Executed PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe executing the CreateProcessWithToken API
Detections:
16.B.2
Procedure:
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
Criteria:
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Detections:
8.C.3
Procedure:
Executed python.exe using PSExec
Criteria:
python.exe spawned by PSEXESVC.exe
Detections:
10.A.1
Procedure:
Executed persistent service (javamtsup) on system startup
Criteria:
javamtsup.exe spawning from services.exe
Detections:
1.A.1
Procedure:
User Pam executed payload rcs.3aka3.doc
Criteria:
The rcs.3aka3.doc process spawning from explorer.exe
Detections:
11.A.1
Procedure:
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
Criteria:
powershell.exe spawning from explorer.exe
Detections:
14.B.1
Procedure:
Created and executed a WMI class using PowerShell
Criteria:
WMI Process (WmiPrvSE.exe) executing powershell.exe
Detections:
7.B.4
Procedure:
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
Criteria:
powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Detections:
2.B.1
Procedure:
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
Criteria:
The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Detections:
9.B.8
Procedure:
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
Criteria:
python.exe reading the file working.zip while connected to the C2 channel
Detections:
18.A.2
Procedure:
Exfiltrated staged collection to an online OneDrive account using PowerShell
Criteria:
powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
16.D.1
Procedure:
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
Criteria:
File write of m.exe by the WinRM process (wsmprovhost.exe)
Detections:
8.C.2
Procedure:
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
Criteria:
SMB session to Scranton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Detections:
8.A.2
Procedure:
Established WinRM connection to remote host Scranton (10.0.1.4)
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
16.C.1
Procedure:
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Criteria:
Network connection to NewYork (10.0.0.4) over port 5985
Detections:
20.B.2
Procedure:
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Criteria:
Network connection to Scranton (10.0.1.4) over port 5985
Detections:
20.B.1
Procedure:
Created Kerberos Golden Ticket using Invoke-Mimikatz
Criteria:
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
20.B.3
Procedure:
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
Criteria:
net.exe adding the user Toby
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections:
3.B.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
14.A.2
Procedure:
Executed elevated PowerShell payload
Criteria:
High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)
Detections:
10.B.3
Procedure:
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria:
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Detections:
5.B.1
Procedure:
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
Criteria:
powershell.exe creating the file hostui.lnk in the Startup folder
Detections:
10.B.1
Procedure:
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria:
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Detections:
11.A.11
Procedure:
Established Registry Run key persistence using PowerShell
Criteria:
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Detections:
5.A.1
Procedure:
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
Criteria:
powershell.exe creating the Javamtsup service
Detections:
3.B.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
14.A.1
Procedure:
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Criteria:
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Detections:
15.A.2
Procedure:
Established WMI event subscription persistence using PowerShell
Criteria:
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Detections:
20.A.2
Procedure:
Executed WMI persistence on user login
Criteria:
The WMI process (wmiprvse.exe) executing powershell.exe
Detections:
8.C.1
Procedure:
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Criteria:
Successful logon as user Pam on Scranton (10.0.1.4)
Detections:
16.C.2
Procedure:
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott
Criteria:
Successful logon as user MScott on NewYork (10.0.0.4)
Detections: