Home  >  APT29  >  Results  >  CyCraft  >  All Results

CyCraft: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
Technique (Alert)
A Technique alert detection (red indicator) including "User Execution" was generated when explorer.exe executed rcs.3aka3.doc. [1]
MSSP (Delayed (Manual))
An MSSP detection including "User Execution" was received that included a description of rcs.3aka3.doc and its execution. [1] [2]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection (purple severity) was generated for rcs.3aka.doc, identified as an EXE. [1]
MSSP (Delayed (Manual))
An MSSP detection was received that included details of the file rcs.3aka3.doc and identified it as an EXE. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
MSSP (Delayed (Manual))
An MSSP detection for "Uncommonly Used Port" was received that included a description of rcs.3aka3.doc and explained that it established a network connection to 192.168.0.5:1234. [1]
Telemetry
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Tactic (Correlated, Alert)
A Tactic alert detection (yellow indicator) for "Execution" was generated for cmd.exe spawning from rcs.3aka3.doc. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for was received that included a description of rcs.3aka3.doc spawning cmd.exe interactively. [1] [2]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Technique (Correlated, Alert)
A Technique alert detection (yellow indicator) for "Powershell" was generated when cmd.exe spawned powershell.exe. The alert was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "PowerShell" was received that included a description of PowerShell execution and an explanation of the commands executed through it. [1] [2]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
General (Alert, Correlated)
A General alert detection (purple indicator) was generated for powershell.exe executing Get-ChildItem. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File and Directory Discovery" was received that included an explanation of the PowerShell script used to collect certain file types on host Nashua (10.0.1.6). [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
General (Alert, Correlated)
A General alert detection (purple indicator) showed powershell.exe executing Get-ChildItem. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection was received that included an explanation of the PowerShell script used to collect certain file types on host Nashua (10.0.1.6). [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
General (Alert, Correlated)
A General alert detection (purple indicator) was generated for powershell.exe executing Compress-Archive. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Data Compressed" was received that included an explanation of the PowerShell script used to collect certain file types on host Nashua (10.0.1.6) and then archive them as DRAFT.ZIP. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
None
No detection capability demonstrated for this procedure.
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
General (Alert, Correlated)
A General alert detection (purple indicator) was generated for PowerShell extracting and executing the code embedded within monkey.png. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Obfuscated Files or Information" occurred containing evidence of the PowerShell script contained within monkey.png. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
General (Alert)
A General alert detection (blue indicator) was generated for the addition of the DelegateExecute Registry Value. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Component Object Model Hijacking" was received that included a PowerShell script and explained that it was used to modify a COM component to delegate execution. [1] [2] [3]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Correlated, Alert)
A Technique alert detection (yellow indicator) for "Bypass UAC" was generated when sdclt.exe was executed in a high integrity context by cmd.exe. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
Tactic (Alert)
A Tactic alert detection (yellow indicator) was generated for an unprivileged process executing another program with SYSTEM permissions. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Bypass User Account Control" was received that explained that cmd.exe (medium integrity) executed sdclt.exe (high integrity) to facilitate a UAC bypass resulting in execution of powershell.exe (High Integrity). [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
General (Correlated, Alert)
A General alert (red indicator) was generated for powershell.exe execution, which included connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
General (Correlated, Alert)
A General alert detection (blue indicator) was generated for the PowerShell command to remove DelegateExecute Registry Value. The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Modify Registry" was received that included a PowerShell script and explained that it was used to delete previously created registry keys. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Tactic (Alert)
A Tactic alert detection (yellow indicator) was generated for a new powershell.exe spawning from powershell.exe. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
General (Alert, Correlated)
A General alert detection (blue indicator) was generated due to powershell.exe decompressing the ZIP via Expand-Archive. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection was occurred containing evidence of powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive. [1]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
General (Alert, Correlated)
A General alert detection (blue indicator) was generated due to powershell.exe executing Get-Process. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated due to sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated due to sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) was generated due to sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" was received that included a PowerShell script and explained that it was used to execute sdelete64.exe to delete SysInternalsSuite.zip. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "File and Directory Discovery" was received that included a PowerShell script and explained that it was used to obtain the current directory. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell script and explained that it was used to obtain the current user name. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" was received that included a PowerShell script and explained that it was used to obtain the current computer name. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell script and explained that it was used to obtain the current environment information. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included a PowerShell script and explained that it was used to obtain the current environment information. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" was received that included a PowerShell script and explained that it was used to obtain the OS system information. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
An MSSP detection for "Security Software Discovery" was received that included a PowerShell script and explained that it was used to detect the installed anti-virus product. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
An MSSP detection for "Security Software Discovery" was received that included a PowerShell script and explained that it was used to detect the installed firewall product. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
An MSSP detection for "Permission Groups Discovery" was received that included a PowerShell script and explained that it was used the Invoke-NetUserGetGroups command to search for domain groups through Win32 API calls. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
MSSP (Delayed (Manual))
An MSSP detection for "Permission Groups Discovery" was received that included a PowerShell script and explained that it was used to search for domain groups through Win32 API calls. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
An MSSP detection for "Permission Groups Discovery" was received that included a PowerShell script and explained that it was used the Invoke-NetUserGetLocalGroups command to search for local groups through Win32 API calls. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
MSSP (Delayed (Manual))
An MSSP detection for "Permission Groups Discovery" was received that included a PowerShell script and explained that it was used the Invoke-NetUserGetLocalGroups command to search for local groups through Win32 API calls. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
General (Alert)
A General alert detection (orange indicator) showed a Registry event for the creation of javamtsup service. [1]
MSSP (Delayed (Manual))
An MSSP detection for "New Service" was received that included events and analysis related to registration and execution of the javamtsup service. [1] [2]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (green indicator) for "Registry Run Keys / Startup Folder" was generated due to hostui.lnk being written to the Startup folder. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Registry Run Keys / Startup Folder" was received that included a Registry Created event for addition of hostui.lnk to the Startup folder. Additional analysis was received that included a PowerShell script and explained that it used the Invoke-Persistence command to create a LNK file in the Startup folder. MSSP analysis that was performed on Windows Event Logs (Event ID 4104, PowerShell ScriptBlock Logs) would have been requested during a normal engagement when CyCraft MDR received insufficient information for analysis of adversary activity. [1] [2]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure.
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
MSSP (Delayed (Manual))
An MSSP detection for "Masquerading" was received that included an execution event for accesschk.exe and explained that the file was masquerading as a legitimate SysInternals tool. Additional data was received that included details of the file accesscheck.exe such as the hash, company name, and signer. [1] [2]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
None
No detection capability demonstrated for this procedure.
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "Credential Dumping" was generated when powershell.exe attempted to read the lsass.exe process memory. The event was correlated to a parent Technique detection for User Execution on rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Credential Dumping" was received that described PowerShell dumping credentials from LSASS process memory. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
General (Alert)
A General alert detection (red indicator) was generated for suspicious threat activity for PowerShell calling CopyFromScreen. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Screen Capture" occurred containing evidence of screen capture. [1] [2] [3]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
General (Alert, Correlated)
A General alert detection (blue indicator) was generated for powershell.exe executing Get-Clipboard. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of a PowerShell script used to gather information from the clipboard. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
General (Alert)
A General alert detection for Threat Activity (red indicator) was generated for PowerShell calling the GetAsyncKeyState API. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Input Capture" occurred containing evidence of key logging. [1] [2]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
None
No detection capability demonstrated for this procedure.
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
General (Alert, Correlated)
A General alert detection (orange indicator) was generated due to powershell.exe executing Compress-7Zip with arguments for encryption. The detection was correlated to a parent alert for User Execution of rcs.3aka3.doc​. [1] [2]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
General (Alert)
A General alert detection (yellow indicator) was generated due to rundll32.exe executing the API Call DavSetCookie in daclnt.dll to map a share using WebDav. [1] [2]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
MSSP (Delayed (Manual))
An MSSP detection for "Remote System Discovery" was received that explained that the Ad-Search PowerShell command was used to discover remote systems in the domain. [1] [2]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
None
No detection capability demonstrated for this procedure.
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
General (Alert, Correlated)
A General alert detection (red indicator) for "PowerShell" was generated due to powershell.exe using Invoke-Command to remotely execute Get-Process on host Scranton (10.0.1.4). The event was correlated to a parent Technique detection for User Execution of rcs.3aka3.doc​. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included a PowerShell script and explained that it was used to execute Get-Process on host Scranton (10.0.1.4). [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
General (Alert)
A General alert detection (orange indicator) for "Remote Access" was generated for the file copy of python.exe from host Nashua (10.0.1.6) to host Scranton (10.0.1.4). [1]
General (Alert)
A General alert detection (yellow indicator) for "File Creation" for the file create event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique (Alert)
A Technique alert detection (yellow indicator) for "Software Packing" was generated for the file creation event for python.exe. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Technique (Alert)
A Technique alert detection (orange indicator) was generated showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Valid Accounts" was received that showed execution of PSExec64.exe using Pam's valid credentials. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
General (Alert)
A General alert detection (red indicator) was generated for "Remote Accessed." [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection (red indicator) for "Service Execution" was generated for the execution of python.exe by PSEXECSVC.exe on host Scranton (10.0.1.4) as SYSTEM. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Service Execution" occurred containing evidence of PSEXESVC.exe executing python.exe. [1] [2]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "PowerShell" was generated when python.exe spawned powershell.exe. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "PowerShell" was received that showed execution of powershell.exe by python.exe. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
General (Correlated, Alert)
A General alert detection (blue indicator) was generated for powershell.exe executing Get-ChildItem. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
General (Alert, Correlated)
A General alert detection (blue indicator) was generated for powershell.exe executing Get-ChildItem. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
None
No detection capability demonstrated for this procedure.
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "T1022 Data Encrypted" was generated when rar.exe was used to create an encrypted zip archive. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "T1002 Data Compressed" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Data Compressed" was received that showed execution of rar.exe by powershell.exe and explained that it was used to compress data for exfiltration. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration, including C:\Users\pam\Desktop\working.zip. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (yellow indicator) for "File Deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip. The event was correlated to a parent Technique detection for Service Execution of python.exe by PSEXECSVC.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" was received that described the adversary using sdelete64.exe to remove evidence of exfiltration. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection (red indicator) for "Service Execution" was generated when services.exe spawned javamtsup.exe. [1]
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure.
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique (Alert)
A Technique alert detection (red indicator) for "Access Token Manipulation" was generated when hostui.exe created a powershell.exe process with the CreateProcessWithToken WinAPI function. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Technique (Alert)
A Technique alert detection (orange indicator) for "User Execution" was generated when the .lnk file was executed. [1]
General (Alert)
A General alert detection (blue indicator) was generated identifying explorer.exe executing powershell.exe as threat activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "User Execution" was received that described the user executing 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk to launch powershell.exe. [1] [2]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Technique (Alert)
A Technique alert detection (yellow indicator) was generated NTFS File Attributes for 2016_UNITED_STATES_PRESEDENTIAL_ELECTION_-_WIKIPEDIA.HTML:SCHEMAS. [1]
General (Alert)
A General alert detection (blue indicator) was generated identifying powershell.exe executing the schemas ADS with Get-Content and IEX as threat activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "NTFS File Attributes" was received that described a PowerShell script reading another script from the schemas Alternate Data Stream in 2016_United_States_presidential_election_-_Wikipedia.html and executing it via IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Technique (Alert)
A Technique alert detection (red indicator) for "Virtualization/Sandbox Evasion" was generated for the PowerShell gwmi query for Win32_BIOS. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Virtualization/Sandbox Evasion" was received that included a PowerShell script and explained that it was used to check for virtualization. [1] [2]
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
General (Alert)
A General alert detection (red indicator) was generated identifying the PowerShell gwmi queries for Win32_ComputerSystem as threat activity. [1]
General (Alert)
A General alert detection (red indicator) was generated identifying the PowerShell gwmi query for Win32_BIOS as threat activity. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" was received that included a PowerShell script and explained that it was used to query Win32_ComputerSystem via WMI. [1] [2]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
General (Alert)
A General alert detection (red indicator) was generated identifying a PowerShell gwmi query for Win32_PnPEntity as threat activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Peripheral Device Discovery" was received that included a PowerShell script and explained that it was used to query Win32_PnPEntity via WMI. [1] [2]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
General (Alert)
A General alert detection (red indicator) was generated identying a PowerShell gwmi query for Win32_ComputerSystem as threat activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell script and explained that it was used to query Win32_ComputerSystem via WMI. [1] [2]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
General (Alert)
A General alert detection (red indicator) was generated identying a PowerShell gwmi query for Win32_ComputerSystem as threat activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "System Network Configuration Discovery" was received that included a PowerShell script and explained that it was used to query Win32_ComputerSystem via WMI. [1] [2]
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (red indicator) for "Process Discovery" was generated for a PowerShell gwmi query for Win32_Process. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included a PowerShell script and explained that it was used to query Win32_Process via WMI. [1]
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
General (Alert)
A General alert detection (blue indicator) was generated for PowerShell executing Get-Item for the current path. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included a PowerShell script and explained that it was used to to obtain the current path. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
General (Alert)
A General alert detection (purple indicator) was generated identifying the execution of certutil.exe with command-line parameters for decoding the payload as threat activity. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for was received that described the adversary executing certutil.exe to decode a base64 blob into the payload kxwn.lock. [1] [2]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (red indicator) for "Registry Run Keys / Startup Folder" was generated for a Registry Creation event associated with establishing Registry Run Key persistence. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Registry Run Keys / Startup Folder" was received that included a PowerShell script and explained that it was used to establish Registry Run Key persistence. [1] [2]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (red indicator) for "PowerShell" was generated for powershell.exe spawned from a PowerShell stager. [1]
MSSP (Delayed (Manual))
An MSSP detection was received that included a PowerShell script and explained that it was used to download and execute another script via IEX. [1] [2]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
MSSP (Delayed (Manual))
An MSSP detection was received that included a PowerShell script and explained that it was used to download and execute another script from 192.168.0.4 over port 443. [1] [2]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Tactic (Alert)
A Tactic alert detection for Discovery (blue icon) was genereated due to PowerShell enumeration of System32. [1]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
Technique (Alert)
A Technique alert detection (purple icon) for "Timestomp" was generated when the kxwn.lock was created with falsified creation, last access, and last write times. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Timestomp" occured that noted modified timestamp of kxwn.lock. [1]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Alert)
A Technique alert detection (red icon) for "Security Software Discovery" was generated due to powershell.exe loading a custom script that contained code to detect installed antivirus products. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Security Software Discovery" was received that included PowerShell gwmi query for AntiVirusProduct [1] [2]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
General (Correlated, Alert)
A General alert detection (red indicator) was generated for the script block with registry query for installed software. The event was correlated to a previous detection for "Security Software Discovery." [1]
MSSP (Delayed (Processing))
An MSSP detection for "Query Registry" was received that included a PowerShell script and explained that it was used to detect installed software. [1]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
General (Alert)
A General alert detection (red indicator) was generated for the scriptblock with registry query for installed software. The event was correlated to a previous detection for "Security Software Discovery." [1]
MSSP (Delayed (Manual))
An MSSP detection for "Query Registry" was received that included a PowerShell script and explained that it was used to detect installed software. [1]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
General (Alert)
A General alert detection (blue indicator) was generated due to the execution of the comp function. [1]
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" occurred containing evidence of PowerShell calling the GetComputerNameEx API. [1]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
General (Correlated, Alert)
A General alert detection (blue indicator) was generated for PowerShell calling the NetWkstaGetInfo API. The detection was correlated to a parent alert for Threat Activity. [1]
MSSP (Delayed (Processing))
An MSSP detection for "System Network Configuration Discovery" was received that included a PowerShell script and explained that it was used to obtain the domain name. [1]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
General (Correlated, Alert)
A General alert detection was generated for powershell.exe executing the script which contained GetUserNameEx API function. The event was correlated to a parent Technique detection for PowerShell. [1]
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell script and explained that it was used enumerate users. [1]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
General (Correlated, Alert)
A General alert detection (blue indicator) was generated for PowerShell calling the CreateToolhelp32Snapshot API. The detection was correlated to a parent alert for Threat Activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" occurred with evidence of a PowerShell script used to enumerate processes. [1]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
General (Alert)
A General alert detection (blue indicator) was generated for powershell.exe loading code that creates the DelegateExecute Registry key. [1] [2]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
General (Alert)
A General alert detection (yellow indicator) was generated showing a new High Integrity PowerShell callback spawned from control.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Bypass User Account Control" was received that included a PowerShell script and explained that it was used to bypass UAC. [1] [2]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
An MSSP detection was received that included a PowerShell script and explained that it was used to clean the Registry after a UAC Bypass. [1]
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe
Windows Management Instrumentation
(T1047)
Technique (Alert)
A Technique alert detection (red indicator) called "Execution" with "T1047 Windows Management Instrumentation" label was generated for WmiPrvSE.exe executing powershell.exe. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Windows Management Instrumentation" was received that included a PowerShell script and explained that it was used to set up execution of Mimikatz. [1] [2]
14.B.2
Enumerated and tracked PowerShell processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (red indicator) for "Process Discovery" was generated for PowerShell executing Get-Process. [1] [2]
14.B.3
Downloaded and dropped Mimikatz (m.exe) to disk powershell.exe downloading and/or the file write of m.exe
Remote File Copy
(T1105)
General (Alert)
A General alert detection (purple indicator) was generated identifying the PowerShell command to download m.exe as threat activity. [1]
General (Alert)
A General alert detection (purple indicator) was generated showed the file write event for m.exe into the System32 folder. [1] [2]
14.B.4
Dumped plaintext credentials using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)
Technique (Alert)
A Technique alert detection (red indicator) of "Credential Dumping" was generated for command-line arguments indicative of Mimikatz credential dumping. [1]
Technique (Alert)
A Technique alert detection (yellow indicator) of "Credential Dumping" was generated for dumping credentials/keys from Lsass process memory [1]
MSSP (Delayed (Manual))
An MSSP detection for "Credential Dumping" was received that described the adversary executing m.exe to access LSASS process memory. [1]
14.B.5
Encoded and wrote Mimikatz output to a WMI class property using PowerShell powershell.exe executing Set-WmiInstance
Obfuscated Files or Information
(T1027)
General (Alert)
A General alert detection (red indicator) was generated showing PowerShell writing encoded content into the WMI class. [1]