Home  >  APT29  >  Results  >  Bitdefender  >  All Results

Bitdefender: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (high severity) for Antimalware was generated for explorer.exe executing rcs.3aka3.doc. [1]
General (Alert)
A General alert detection (low severity) was generated for the execution of a rogue unusual executable. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1] [2]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (red indicator) called "RLOCharacterProcessCreate" was generated due to a a file being executed with the RTLO character in its name, hiding its extension. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1] [2]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Telemetry (Correlated)
Telemetry showed cmd.exe spawning from rcs.3aka3.doc. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
General (Alert, Correlated)
A General alert detection (yellow indicator) was generated for powershell.exe being identified as suspicious. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Technique (Configuration Change (Detections), Alert, Correlated)
A Technique alert detection (yellow indicator) was generated for PowerShell enumerating files and directories using environment variables. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing ChildItem. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing ChildItem. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Alert, Correlated, Configuration Change (Detections))
A Technique alert detection (orange indicator) was generated for PowerShell being used to created a compressed archive. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe compressing via Compress-Archive. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Correlated)
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Technique (Alert)
A Technique detection called "PowershellImgObfuscation" was generated due to a payload being loaded from an image via PowerShell. [1]
Telemetry
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed the addition of the DelegateExecution Registry Value. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Correlated, Alert)
A Technique alert detection (yellow indicator) for Bypass User Account Control was generated for sdclt.exe being executed with a higher integrity level than its parent process. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
General (Alert, Correlated)
A General alert detection (red indicator) was generated for powershell.exe being identified as suspicious. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
Telemetry
Telemetry showed control.exe spawning a powershell.exe tagged as High Integrity level and possessing elevated process access privileges. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on port 443. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
Telemetry (Configuration Change (Detections))
Telemetry showed an SSL network connection to 192.168.0.5 on port 443. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
Telemetry (Configuration Change (Detections))
Telemetry showed a SSL connection to to 192.168.0.5 on port 443. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry (Configuration Change (Detections))
Telemetry showed the deletion of the command subkey. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
General (Alert, Correlated)
A General alert detection (red indicator) was generated for PowerShell writing unknown executable files. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
Telemetry (Correlated)
Telemetry showed PowerShell writing the files that were decompressed from the ZIP. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection for "powershellprocessdiscovery" was generated due to powershell.exe executing Get-Process. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing Get-Process. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
General (Alert, Correlated)
A General alert detection was generated for an unusual file write in the user directory. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
General (Alert, Correlated)
A General alert detection was generated for the SDelete process being identified as suspicious. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and subsequently writing to the file. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2] [3]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure.
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Configuration Change (Detections), Alert, Correlated)
A Technique detection (yellow indicator) was generated for Windows Management Instrumentation being used for AV discovery. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing Get-WmiObject...​ -Class AntiVirusProduct. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
General (Configuration Change (Detections), Alert, Correlated)
A General alert detection (red indicator) was generated for PowerShell loading the NetApi module. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
General (Correlated, Alert, Configuration Change (Detections))
A General alert detection (red indicator) was generated for PowerShell loading the NetApi module. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection called "A New Service Has Been Created" was generated due to PowerShell creating the new service javamtsup. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Correlated, Alert)
A Technique alert detection (red indicator) called Startup Item was generated due to hostui.lnk being written to the Startup folder. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
Telemetry (Correlated)
Telemetry showed the file write of hostui.lnk in the Startup folder. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary which can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Alert)
A Technique alert detection called "privatekeyread" was generated due to the $RandomFileName.pfx file being accessed by an uncommon process. [1]
Telemetry (Correlated)
Telemetry showed file write event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Alert)
A Technique alert detection for Credential Dumping was generated for injection into Lsass.exe. [1]
General (Alert, Correlated)
A General alert detection (yellow indicator) was generated due to process injection into lsass.exe. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Configuration Change (Detections), Alert, Correlated)
A Technique alert detection (orange indicator) was generated for PowerShell being used to take a screenshot. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) called "ClipboardAction" was generated due to a process collecting Windows clipboard data. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Clipboard. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Telemetry (Configuration Change (Detections))
Telemetry showed PowerShell calling the GetAsyncKeyState API. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
Technique (Alert)
A Technique alert detection called PowerShell Read Document was generated for powershell.exe process reading file contents. [1]
Telemetry
Telemetry showed Powershell.exe reading files from C:\Users\pam\Downloads. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection for Data Compressed was generated due to PowerShell loading a module capable of zipping files. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Correlated)
Telemetry showed the file write event for OfficeSupplies.7z. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
None
No detection capability demonstrated for this procedure.
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection was generated for a compressed file being transferred over the network. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
General (Alert, Configuration Change (Detections))
A General alert detection was generated for a network connection to remote WebDav network share. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry
Telemetry showed an event for PowerShell reading OfficeSupplies.7z as well as an active connection to a remote adversary WebDav network share (192.168.0.4). [1] [2]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe establishing a connection identified as LDAP over port 389 to NewYork (10.0.0.4). The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection called "powershellinvokedwinrm" was generated for Windows Remote Management Service Invoked by PowerShell script. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Technique (Alert)
A Technique alert detection called "remotepowershellsession" was generated for WSMProvHost Process Started that could indicate a remote PowerShell command has been executed. [1]
Telemetry (Correlated)
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (red indicator) was generated for the execution of a PowerShell process discovery command. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing Get-Process. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated for a suspicious file being written/accesses through the SMB protocol. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
General (Alert)
A General alert detection (red indicator) for Antimalware was generated identifying the resource download as malware. [1]
Telemetry
Telemetry showed the HTTP GET request for python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique (Alert)
A Technique alert detection was generated for python.exe being identified as a packed payload. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
None
No detection capability demonstrated for this procedure.
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert)
A Technique alert detection for Windows Admin Shares was generated for PSExec using credentials to execute a remote command. [1]
Technique (Alert)
A Technique alert detection was generated for PsExec64.exe writing a file to a remote admin share through the SMB protocol. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
General (Alert)
A General alert detection called "PSExecLateralMovement" was generated for unusual markers of PSExec being used for lateral movement. [1]
Telemetry (Correlated)
Telemetry showed PSEXESVC.exe with command-line arguments to execute python.exe. The detection was correlated to a parent alert on rcs.3aka3.doc for the execution of a rogue unusual executable. [1] [2]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed an executable file write event for python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed Executable File Write event for python.exe creating sdelete64.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Telemetry
Telemetery showed python.exe executing powershell.exe. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection was generated for PowerShell enumerating files and directories using environment variables. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing ChildItem. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing ChildItem​. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Telemetry
Telemetry showed the file write of working.zip. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Technique (Alert)
A Technique alert detection called "Data Encrypted T1022" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of encryption. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection called "Data Compressed T1002" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Configuration Change (Detections))
Telemetry showed python.exe reading working.zip and an existing C2 channel (192.168.0.4 over port 8443). The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
General (Alert)
A General alert detection called "Unusual File Written in User Directory" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure.
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
Technique (Alert)
A Technique alert detection (red indicator) was generated for a process created with CreateProcessWithToken. [1] [2]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique (Alert)
A Technique alert detection (orange indicator) was generated for PowerShell being identified as having fake parent process. [1]
Technique (Alert)
A Technique alert detection (red indicator) was generated for a process created with CreateProcessWithToken. [1] [2]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (red indicator) was generated identifying the powershell.exe process as malware. [1]
Telemetry
Telemetry showed explorer.exe spawning powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection was generated for getting the BIOS version via Windows Management Instrumentation. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed the PowerShell gwmi queries for Win32_BIOS. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Technique (Alert)
A Technique alert detection (red indicator) was generated for execution of a WMI system discovery command. [1] [2] [3]
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (red indicator) was generated for getting the BIOS version via Windows Management Instrumentation. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (red indicator) was generated for getting the plug and play devices via Windows Management Instrumentation. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Technique (Alert)
A Technique alert detection (red indicator) was generated for the execution of a WMI system discovery command. [1] [2] [3]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
Technique (Alert)
A Technique alert detection (red indicator) was generated for the execution of a WMI system discovery command. [1] [2] [3]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (red indicator) was generated for the execution of a process discovery command via Windows Management Instrumentation. [1] [2]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
Telemetry (Configuration Change (Detections))
Telemetry showed PowerShell executing Get-Item for the current path. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (yellow indicator) was generated for cerutil.exe decoding a payload. [1] [2]
General (Alert)
A General alert detection (yellow indicator) was generated for the execution of the certutil.exe process, which was identified as suspicious. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (red indicator) called "RegSigStartup" was generated for Registry Run Keys / Startup Folder persistence. [1] [2]
Technique (Alert)
A Technique alert detection (red indicator) was generated for a suspicious process writing a Startup item Registry key. [1] [2]
Technique
A Technique detection was generated showing Registry write event of the Webcache subkey by powershell.exe, identified as a Startup or Autorun. [1] [2]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (red indicator) was generated for powershell.exe executed with a suspicious large command line, which led to the powershell.exe process being identified as malware. [1] [2]
Technique (Alert)
A Technique alert detection (red indicator) was generated for powershell.exe launched with the encoded command parameter. [1] [2]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. [1] [2]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe making an network connection to C2 (192.168.0.4) over port 443, which was identified as using the SSL protocol. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe making an network connection to C2 (192.168.0.4) over port 443, which was identified as using the SSL protocol. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Telemetry (Configuration Change (Detections))
Telemetry showed PowerShell enumeration of System32. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
Telemetry (Configuration Change (Detections))
Telemetry showed script block with commands to timestomp kxwn.lock. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1] [2]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Correlated, Alert)
A Technique alert detection (red indicator) called "WMIAntiVirusDiscovery" was generated due to PowerShell gwmi query for AntiVirusProduct. The alert was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]
Telemetry
Telemetry showed PowerShell gwmi query for AntiVirusProduct. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry (Configuration Change (Detections))
Telemetry showed script block with registry query for installed software. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry (Configuration Change (Detections))
Telemetry showed scriptblock with registry query for installed software. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure, though alerts were generated for PowerShell compiling a DLL file using csc.exe and a suspicious binary write by csc.exe with a PowerShell parent. [1] [2]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "findprocess" was generated due to PowerShell querying the list of running processes. The detection was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]
Technique (Configuration Change (Detections), Alert)
A Technique alert detection was generated for the execution of a PowerShell process discovery command. PowerShell script block logging was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
Tactic (Alert, Correlated)
A Tactic alert detection (red indicator) was generated for the setting of a Registry key used by User Account Control (UAC). The alert was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry value. The telemetry was correlated to a parent alert identifying the powershell.exe process as malware. [1]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert)
A Technique alert detection for "Bypass User Account Control" was generated for a suspicious process elevation. [1]
Telemetry
Telemetry showed control.exe spawning a powershell.exe tagged as High Integrity level and possessing elevated process access privileges. [1]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry
Telemetry showed the deletion of the Registry value. [1]
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe
Windows Management Instrumentation
(T1047)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated for a local process created using WMI. The detection was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated for a WMI action using a custom provider. The detection was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]
Technique (Alert, Correlated)
A Technique alert detection was generated for PowerShell executed using WMI. The alert was correlated to a parent alert identifying the powershell.exe process as malware. [1] [2]