Home  >  APT29  >  Results  >  CrowdStrike  >  All Results

CrowdStrike: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (yellow indicator) was generated for a suspicious file meeting the sensor's low-confidence threshold for a malicious file. [1]
MSSP (Delayed (Manual))
An MSSP detection for the suspicious execution of the rcs.3aka3.doc file. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection (yellow indicator) called "Masquerading" was generated when an executable ran containing a RTLO character. [1]
MSSP (Delayed (Manual))
An MSSP detection was received that included details of the file rcs.3aka3.doc and identified it as an portable executable. [1] [2]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
MSSP (Delayed (Manual))
An MSSP detection was generated for rcs.3aka3.doc connecting to 192.168.0.5 on port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Telemetry (Correlated)
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. The detection was correlated to a parent alert for user execution of rcs.3aka.doc. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
General (Correlated, Alert)
A General alert detection (yellow indicator) was generated when powershell.exe spawned from cmd.exe. The detection was correlated to a parent alert for user execution of rcs.3aka.doc. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert for user execution of rcs.3aka.doc. [1]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Technique (Alert, Correlated)
A Technique alert detection (purple hexagon) called "Automated Collection" was generated when powershell.exe executed an automated search routine with Get-ChildItem. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
MSSP (Delayed (Manual))
An MSSP alert was generated when a portable executable file used a script to collected various filetypes found on the filesystem. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry (Correlated)
Telemetry showed file opens of C:\Users\Pam\*. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Telemetry (Correlated)
Telemetry showed powershell.exe compressing via Compress-Archive. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Correlated)
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The event was correlated to a parent General detection for User Execution of rcs.3aka.doc. [1] [2]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc reading file monkey.png. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Technique (Alert, Correlated)
A Technique alert (high severity) was generated for PowerShell using obfuscation. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry Value. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert, Correlated)
A Technique alert detection (purple hexagon) called "Bypass User Account Control" was generated when control.exe spawned an elevated PowerShell payload. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
Tactic (Alert, Correlated)
A Tactic alert detection (purple hexagon) called "Defense Evasion" was generated when a process reflectively loaded a DLL associated with meterpreter using the PowerShell payload. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
Telemetry (Correlated)
Telemetry showed control.exe creating a high integrity powershell.exe. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
MSSP (Delayed (Manual))
An MSSP report showed sdclt.exe spawned a process that connected to 192.168.0.5 on port 443. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on port 443. The event was correlated to a parent technique detection for Bypass User Account Control of control.exe spawning powershell.exe. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. The event was correlated to a parent technique detection for Bypass User Account Control of control.exe spawning powershell.exe. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The event was correlated to a parent alert for Bypass User Account Control of control.exe spawning powershell.exe. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for user execution of rcs.3aka.doc. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Correlated, Alert)
A Technique alert detection (red indicator) for "File Deletion" was generated due to sdelete64.exe deleting rcs.3aka3.doc. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename events. The detection was correlated to a parent alert for user execution of rcs.3aka.doc. [1] [2]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for user execution of Draft.zip. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed file rename and delete operations from sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert for user execution of SysinternalsSuite.zip. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:TEMP. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERNAME. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERDOMAIN. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $PID. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-WmiObject...​ -Class AntiVirusProduct. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
Technique (Correlated)
A Technique detection called "GenericSoftwareSystemDiscovery" was generated when WMI was used to query information about firewall products. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-WmiObject...​ -Class FireWallProduct. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
Telemetry (Correlated)
Telemetry showed powershell.exe executing the NetUserGetGroups API. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed Netapi32.dll loaded into powershell.exe. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1] [2] [3]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
Telemetry (Correlated)
Telemetry showed powershell.exe executing the NetUserGetLocalGroups API. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed Netapi32.dll loaded into powershell.exe. The event was correlated to a parent general detection for user execution of rcs.3aka.doc. [1] [2] [3]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Telemetry (Correlated)
Telemetry showed PowerShell command used to create the new service javamtsup. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Correlated)
Telemetry showed the file write of hostui.lnk in the Startup folder. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
Telemetry (Delayed (Processing))
Telemetry showed accesschk.exe reading the Chrome database file for credentials. Detection incurred a delay based on accesschk.exe executing in a malware detonation chamber where the results were later available to an analyst. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
General (Correlated)
A General detection called "HashPupAdwareCrowdStrikeSha256" was generated when accesschk.exe matched known malicious payload hashes. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
None
No detection capability demonstrated for this procedure.
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Correlated, Alert)
A Technique alert detection (red hexagon indicator) for "Credential Dumping" was generated when powershell.exe injected into LSASS. The event was correlated to a parent General detection for User Execution of rcs.3aka.doc. [1] [2] [3]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Telemetry (Correlated)
Telemetry showed powershell.exe triggered a ScreenshotTakenETW event. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Clipboard. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Technique (Alert, Correlated)
A Technique alert detection called "Input Capture" was generated when a process performed reads of the user key buffers. The event was correlated to a parent General detection for User Execution of rcs.3aka.doc. [1] [2]
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetAsyncKeyState API. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
Telemetry (Correlated)
Telemetry showed powershell.exe reading files from C:\Users\pam\Downloads. The detection was correlated to a parent alert for User Execution of rcs.3aka.doc. [1] [2]
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Telemetry (Correlated)
Telemetry showed the file write event for OfficeSupplies.7z. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. The detection was correlated to a parent alert for User Execution of rcs.3aka.doc. [1] [2]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of OfficeSupplies.7z being copied over the network to a remote adversary WebDav network share (192.168.0.4). [1]
Telemetry (Correlated)
Telemetry showed PowerShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over port 389. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1] [2]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Telemetry (Correlated)
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port 5985. The event was correlated to a parent General detection for user execution of rcs.3aka.doc. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Telemetry
Telemetry showed a file write event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique (Alert)
A Technique alert detection (red indicator) called "Software Packing" was generated when python.exe was written to disk. [1]
Telemetry
Telemetry showed a packed executable written event for python.exe. A FileSubType_decimal value of 4 is a PE_PACKER_UPX reference in documentation. [1] [2]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Telemetry
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert)
A Technique alert detection (yellow indicator) called "Windows Admin Shares" was generated when python.exe was copied to Scranton via SMB. [1]
Telemetry
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. [1] [2]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique
A Technique detection for "ServiceExecOnSMBFile" was generated due to PsExec running a python.exe remotely. [1]
Telemetry
Telemetry showed python.exe spawned from PSEXESVC.exe. [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed an executable file write event for python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed Executable File Write event for python.exe creating sdelete64.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Telemetry
Telemetry showed Python.exe executing powershell.exe​. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) called "Automated Collection" was generated when powershell.exe executed Get-ChildItem. The event was correlated to a parent Technique detection for Windows Admin Shares. [1] [2]
Telemetry
Telemetry showed Powershell.exe executing ChildItem​. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Telemetry
Telemetry showed a ZipFileWritten event for the creation of working.zip. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The event was correlated to a parent Technique detection for Windows Admin Shares. [1] [2]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection (purple indicator) called "Data Compressed" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. The event was correlated to a parent Technique detection for Windows Admin Shares. [1] [2]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments.The event was correlated to a parent Technique detection for Windows Admin Shares. [1] [2]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. [1] [2]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1] [2]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. [1] [2]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
Telemetry
Telemetry showed an ExecutableDeleted event for sdelete64.exe. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed hostui.lnk executing from the Startup Folder. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique (Alert)
A Technique alert detection called "Access Token Manipulation" was generated for token stealing activity. [1]
Telemetry
Telemetry showed powershell.exe executing with the same token (identified by the AuthenticationID) as explorer.exe. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1] [2]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. PowerShell script block content for this step was collected on sensor, but at execution time did not meet confidence threshold to be sent to cloud for further analysis.
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (high severity) called “Deobfuscate/Decode Files or Information” was generated when certutil.exe decoded a malicious payload. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding PE file write of the kxwn.lock payload. [1]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry. [1]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (red indicator) called “PowerShell” was generated for the executed PowerShell stager matching existing malware characteristics. [1] [2]
Technique (Alert)
A Technique alert detection (yellow indicator) called “PowerShell” was generated for powershell.exe run with a hidden window and encoded commands. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. [1] [2]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though data showed powershell.exe loading http libraries. [1]
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
MSSP (Delayed (Manual))
An MSSP alert showed outbound connection with Cryptographic API calls to C2 server. [1]
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Telemetry
Telemetry showed PowerShell enumeration of System32. [1] [2]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
Telemetry
Telemetry showed script block with commands to timestomp kxwn.lock. [1] [2]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Technique
A Technique detection called “GenericSecuritySoftwareDiscovery” was generated due to PowerShell gwmi query for AntiVirusProduct. [1]
Telemetry
Telemetry showed PowerShell gwmi query for AntiVirusProduct. [1]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry
Telemetry showed scriptblock with registry query for installed software. [1] [2]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry
Telemetry showed script block with registry query for installed software. [1] [2]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
Telemetry
Telemetry showed PowerShell calling the GetComputerNameEx API. [1]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
Telemetry
Telemetry showed PowerShell calling the NetWkstaGetInfo API. [1] [2]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
Telemetry
Telemetry showed PowerShell executing the GetUserNameEx API. [1] [2]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
Telemetry
Telemetry showed PowerShell calling the CreateToolhelp32Snapshot API. [1]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
Telemetry
Telemetry showed the addition of the DelegateExecute Registry value. [1] [2]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called “Bypass User Account Control” was generated when the parent powershell.exe process of sdclt.exe attempted to escalated privileges with UAC bypass or UAC elevation. The event was correlated to a parent Technique detection for PowerShell. [1]
Tactic (Alert, Correlated)
A Tactic alert detection (red indicator) called “Privilege Escalation – Access Token Manipulation” was generated powershell.exe impersonated another user via access token manipulation. The event was correlated to a parent technique detection for PowerShell. [1]
Telemetry (Correlated)
Telemetry showed a new High Integrity PowerShell callback spawned from control.exe (spawned from sdclt.exe). The event was correlated to a parent technique detection for PowerShell. [1]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry
Telemetry showed the deletion of the Registry value. [1] [2]
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe
Windows Management Instrumentation
(T1047)
Telemetry (Correlated)
Telemetry showed WmiPrvSE.exe executing powershell.exe. The detection was correlated to a parent alert for execution via PowerShell. [1]
14.B.2
Enumerated and tracked PowerShell processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry
Telemetry showed PowerShell executing Get-Process. [1]
14.B.3
Downloaded and dropped Mimikatz (m.exe) to disk powershell.exe downloading and/or the file write of m.exe
Remote File Copy
(T1105)
General
A General detection called "NewExecutableWritten" was generated was generated for the PowerShell command to download m.exe. [1]
Telemetry (Correlated)
Telemetry showed the file write event for m.exe into the System32 folder. The detection was correlated to a parent alert for Execution via Powershell. [1]
14.B.4
Dumped plaintext credentials using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called “Credential Dumping” was generated LSASS process was accessed by Mimikatz (m.exe). The detection was correlated to a parent alert for Execution via Powershell. [1] [2]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called “Credential Dumping” was generated when m.exe read LSASS memory. The detection was correlated to a parent alert for Execution via Powershell. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called “Credential Dumping” was generated when Mimikatz (m.exe) launched. The detection was correlated to a parent alert for Execution via Powershell. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called “Credential Dumping” was generated when the encoded powershell payload script launched a mimikatz process (m.exe) . The detection was correlated to a parent alert for Execution via Powershell. [1]
General (Alert, Correlated)
A General alert detection (red indicator) called “Machine Learning via Sensor-based ML” was generated when m.exe met machine learning-based on-sensor AV protection’s high confidence threshold for malicious files. The detection was correlated to a parent alert for Execution via Powershell. [1]
14.B.5
Encoded and wrote Mimikatz output to a WMI class property using PowerShell powershell.exe executing Set-WmiInstance
Obfuscated Files or Information
(T1027)
Telemetry
Telemetry showed PowerShell writing encoded content into the WMI class. [1] [2]
14.B.6
Read and decoded Mimikatz output from a WMI class property using PowerShell powershell.exe executing Get-WmiInstance
Deobfuscate/Decode Files or Information
(T1140)
Telemetry
Telemetry showed PowerShell reading encoded content from the WMI class. [1]
15.A.1
Enumerated logged on users using PowerShell powershell.exe executing $env:UserName
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed PowerShell script block executing $env:UserName. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
15.A.2
Established WMI event subscription persistence using PowerShell powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Windows Management Instrumentation Event Subscription
(T1084)
Technique
A Technique detection for "WmiFilterConsumerBind" was generated due to the WindowsParentalControlMigration event filter creation. [1]
Telemetry (Correlated)
Telemetry showed the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
16.A.1
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Remote System Discovery
(T1018)
Telemetry (Correlated)
Telemetry showed the System.DirectoryServices.dll module loaded by powershell.exe as well as powershell.exe executing the Get-NetDomainController cmdlet. The detection was correlated to a parent alert on PowerShell. [1] [2] [3]
16.B.1
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API powershell.exe executing the ConvertSidToStringSid API
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed PowerShell executing the ConvertSidToStringSid API function. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
16.B.2
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed that PowerShell loaded Advapi32.dll in order to execute the ConvertSidToStringSid API function. The detection was correlated to a parent alert for PowerShell. [1] [2]
16.C.1
Established a WinRM connection to the domain controller host NewYork (10.0.0.4) Network connection to NewYork (10.0.0.4) over port 5985
Windows Remote Management
(T1028)
Technique (Correlated)
A Technique detection called “GenericWinRMLateralMovement” was generated when powershell.exe executed Invoke-WinRMSession to connect to remote host NewYork (10.0.0.4) with credentials for user MScott. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
Telemetry (Correlated)
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1] [2]
16.C.2
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott  Successful logon as user MScott on NewYork (10.0.0.4)
Valid Accounts
(T1078)
Telemetry (Correlated)
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott. The detection was correlated to a parent grouping of malicious activity. All activity associated with an alert is grouped and correlated via the relevant detection tree. [1]
16.D.1
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection File write of m.exe by the WinRM process (wsmprovhost.exe)
Remote File Copy
(T1105)
Telemetry
Telemetry showed a file write of m.exe to System32 directory by wsmprovhost.exe. [1] [2]
16.D.2
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)