Home  >  APT29  >  Results  >  Elastic  >  All Results

Elastic: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (high severity) was generated for the execution of a malicious file (rcs.3aka3.doc). [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) for "Process with Left-to-Right Encoding Character " was generated for rcs.3aka3.doc execution. Configuration changes were made to add detection logic. [1]
Telemetry
Telemetry showed the file type .doc was an executable, and that the filename included the unicode character for RTLO. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
Telemetry
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
General (Configuration Change (Detections), Alert, Correlated)
A General alert detection (medium severity) was generated for a "Suspicious Parent of Built-in Shells." The detection was correlated to a parent alert for malicious file execution. Configuration changes were made to loosen rule logic and/or black lists. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka.doc spawning cmd.exe. The telemetry was correlated to a parent alert for malicious file execution. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Technique (Correlated)
A Technique detection called "ATT&CK T1086 PowerShell" was generated for the execution of PowerShell. The event was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe executing powershell.exe. The telemetry was correlated to a parent alert for malicious file execution. [1]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The event was correlated to a parent General detection for malicious file execution. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The event was correlated to a parent General detection for malicious file execution. [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Correlated)
A Technique detection for "Data Compressed" was generated for powershell.exe compressing via Compress-Archive. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe compressing via Compress-Archive. The event was correlated to a parent General detection for malicious file execution. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Technique (Configuration Change (Detections), Correlated)
A Technique detection for "Data Staged" was generated due to the NtCreateFile API being used to create Draft.zip. The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. The event was correlated to a parent General detection for malicious file execution. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Configuration Change (Detections))
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port TCP 1234). Configuration changes were made to increase detection capability, specifically additional API monitoring. [1] [2]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The event was correlated to a parent General detection for malicious file execution. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The event was correlated to a parent General detection for malicious file execution. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique detection (red label) for "Registry Preparation of UAC Bypass" was generated due to the addition of the DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to loosen rule logic and/or black lists. [1]
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Telemetry (Correlated)
Telemetry showed control.exe creating a high integrity powershell.exe. The event was correlated to a parent General detection for malicious file execution. [1] [2]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Tactic (Alert, Correlated)
A Tactic alert detection (medium severity) called "Detected Command and Control" was generated due to PowerShell connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent General detection for malicious file execution. [1]
General (Correlated, Alert)
A General alert detection (medium severity) was generated for the first network connection for a known process. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP 443. The event was correlated to a parent General detection for malicious file execution. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure. Although telemetry showed a network connection over port 443 no protocol was identified for this traffic, so a detection does not apply.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry (Correlated)
Telemetry showed PowerShell command to remove DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for malicious file execution. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1086 Powershell" was generated when powershell.exe spawned. The detection was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for malicious file execution. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive. The detection was correlated to a parent alert for malicious file execution. [1]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for malicious file execution. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:TEMP. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERNAME. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERDOMAIN. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $PID. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
Technique (Correlated, Alert)
A Technique detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi Win32_OperatingSystem. The event was correlated to a parent General detection for malicious file execution. [1] [2]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Tactic (Correlated, Alert)
A Tactic detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi WmiObject ...​ -Class AntiVirusProduct. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
Tactic (Correlated, Alert)
A Tactic detection called "Reconnaissance of Multiple WMI Classes" was generated due to multiple WMI classes being executed in quick succession. The event was correlated to a parent General detection for malicious file execution. The detection was a medium severity alert. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing $Gwmi WmiObject ...​ -Class FireWallProduct. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Invoke-NetUserGetGroups. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Configuration Change (Detections))
Telemetry showed Netapi32.dll loaded into powershell.exe. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1] [2]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Invoke-NetUserGetLocalGroups. The event was correlated to a parent General detection for malicious file execution. [1]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Configuration Change (Detections))
Telemetry showed Netapi32.dll loaded into powershell.exe. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1] [2]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "Service Creation/Modification" was generated due to powershell.exe creating the javamtsup.exe service. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed PowerShell created the new service javamtsup. The event was correlated to a parent General detection for malicious file execution. [1]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution. [1]
General (Correlated, Alert)
A General alert detection (medium severity) for "Shortcut File Written by Suspicious Process" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe creating the hostui.lnk file in the Startup folder. The event was correlated to a parent General detection for malicious file execution. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
Technique (Correlated, Configuration Change (Detections))
A Technique detection for "ATT&CK 1081 Credentials in Files" was generated for accesschk.exe reading the Chrome database file for credentials . The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
General (Correlated, Alert)
A General alert detection (high severity; red indicator) for "Malicious File" was generated for accesschk.exe execution. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent General detection for malicious file execution. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1145 Private Keys" was generated for powershell.exe creating the $RandomFileName.pfx file. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe creating the $RandomFileName.pfx file. The event was correlated to a parent General detection for malicious file execution. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "Credential Dumping" was generated for lsass.exe memory access. The event was correlated to a parent General detection for malicious file execution. [1] [2]
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) for "Credential Access: SAM Registry Reads" was generated for lsass.exe reading the SAM database through the registry. Configuration changes were made to loosen rule logic and/or black lists. [1]
Telemetry (Configuration Change (Detections))
Telemetry showed lsass.exe accessing the NtOpenKey API. The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to loosen rule logic and/or black lists. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (low severity) for "Screen Capture" was generated for powershell.exe calling the NtGdiCreateCompatibleBitmap API. The event was correlated to a parent General detection for malicious file execution. Configuration changes were made to loosen rule logic and/or black lists. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The event was correlated to a parent General detection for malicious file execution. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "ATT&CK T1115 Clipboard Data" was generated for powershell.exe calling the NtUserGetClipboardData API. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe calling the NtUserGetClipboardData API. The detection was correlated to a parent alert for malicious file execution. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1056 Input Capture" (low severity) was generated for powershell.exe calling the NtUserGetAsyncKeyState API. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe calling the NtUserGetAsyncKeyState. API. The event was correlated to a parent General detection for malicious file execution. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Telemetry (Correlated)
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent alert for malicious file execution. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
Telemetry (Correlated)
Telemetry showed Powershell.exe executing Compress-7Zip ... -password "lolol". The event was correlated to a parent General detection for malicious file execution. [1]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Correlated)
Telemetry showed PoweShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). The event was correlated to a parent General detection for malicious file execution. [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. The detection was correlated to a parent alert for malicious file execution. [1]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Correlated, Alert)
A Technique alert detection (orange indicator; medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for the user Pam invoking a WMI PowerShell cmdlet. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The event was correlated to a parent General detection for malicious file execution. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed wsmprovhost.exe executing Get-Process. The event was correlated to a parent General detection for malicious file execution. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
General (Alert)
A General alert detection (high severity; red indicator) was generated for the malicious file create event of python.exe. [1]
Telemetry
Telemetry showed a file create event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though python.exe was manually recovered from the system by the analyst, and it was identified as UPX packed. This is identified as Host Interrogation. [1] [2]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Telemetry
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Telemetry (Correlated)
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert for malicious file execution. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1035 Service Execution" for PsExec64.exe calling the CreateServiceW API. The detection was correlated to a parent alert for malicious file execution. [1]
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "Service Creation/Modification" was generated due to PsExec64.exe creating the psexesvc.exe service. [1]
Telemetry (Correlated)
Telemetry showed PSEXESVC.exe executing python.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed file created event for python.exe creating rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed File Created event for python.exe creating sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "T1086 PowerShell" was generated due to powershell.exe executing. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1] [2]
Telemetry
Telemetery showed python.exe executing powershell.exe. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed a File Created event for powershell.exe creating working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Technique (Correlated, Alert)
A Technique alert detection (yellow indicator; medium severity) for "Encrypting Files with WinRar" "T1022 Data Encrypted" was generated when rar.exe used "-hp" command-line arguments. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "T1002 Data Compressed" was generated when rar.exe used "-hp" command-line arguments. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. This event was correlated to a General detection for the execution of a malicious file (python.exe). [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Configuration Change (Detections), Correlated)
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over TCP port 8443). This event was correlated to a General detection for the execution of a malicious file (python.exe). Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. Configuration changes were made to add detection logic. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting Roaming\working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1107 File Deletion" was generated when cmd.exe deleted sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe deleting sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed hostui.exe executing powershell.exe via CreateProcessWithTokenW. This event was correlated to a General detection for the execution of a malicious file. [1]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Telemetry (Correlated)
Telemetry showed hostui.exe manipulating powershell.exe token via CreateProcessWithTokenW and that the authentication ID was that of explorer.exe. This event was correlated to a General detection for the execution of a malicious file. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (medium severity) was generated for "Suspicious Windows Script from Parent Process" for explorer.exe executing powershell.exe. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Technique (Alert)
A Technique alert detection (low severity) for "Suspicious Read from Alternate Data Streams (ADS)" was generated for powershell.exe accessing an NTFS ADS. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. [1]
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Technique
A Technique detection for "ATT&CK T1082 System Info Discovery" was generated for powershell.exe querying Win32_ComputerSystem and Win32_BIOS. [1]
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1] [2]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1] [2]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. [1]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed powershell.exe gwmi query for Win32_ComputerSystem. [1]
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
Tactic (Alert)
A Tactic alert detection (medium severity) called "Reconnaissance of Multiple WMI Classes" was generated for powershell.exe enumerating WMI classes associated with System Information Discovery. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. [1]
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
Telemetry
Telemetry showed PowerShell executing Get-Item for the current path. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (high severity) for "ATT&CK T1140 Deobfuscate/Decode Files or Information" was generated for certutil.exe encoding or decoding files. [1] [2]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1] [2]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique
A Technique detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry [1]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executed with unusual arguments. [1]
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executing an obfuscated command. [1]
Technique
A Technique detection for "ATT&CK T1086 PowerShell" was generated for powershell.exe spawned from a PowerShell stager. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Tactic (Alert)
A Tactic alert detection (medium detection) for "Command and Control" with the rule name "PowerShell Network Activity" was generated for powershell.exe opening a network connection. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over TCP port 443. [1]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
General (Correlated, Alert)
A General alert detection for "Stealthy PowerShell Commands" (medium severity) was generated for PowerShell executing the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe enumerating System32. The event was correlated to a parent General detection for a suspicious Windows script. [1]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
Technique (Alert, Correlated)
A Technique alert detection (low severity) for "Timestomping" was generated for the modification of the timestamp of kxwn.lock. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "ATT&CK T1099 Timestomp" was generated for PowerShell calling the NtSetInformationFile API. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed the modification of the timestamp of kxwn.lock, as well as the contents of the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script. [1] [2]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique detection (medium severity) for "ATT&CK T1063 Security Software Discovery" was generated due to PowerShell executing the detectav function. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed PowerShell gwmi query for AntiVirusProduct. The event was correlated to a parent General detection for a suspicious Windows script. [1]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The event was correlated to a parent General detection for a suspicious Windows script. [1]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The event was correlated to a parent General detection for a suspicious Windows script. [1]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetComputerNameEx API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
Telemetry (Correlated)
Telemetry showed PowerShell calling the NetWkstaGetInfo API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed PowerShell executing the GetUserNameEx API. The event was correlated to a parent General detection for a suspicious Windows script. [1]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed PowerShell calling the CreateToolhelp32Snapshot API. The detection was correlated to a parent alert for a suspicious Windows script. [1]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry value. The event was correlated to a parent General detection for a suspicious Windows script. [1]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Telemetry (Correlated)
Telemetry showed a new High Integrity PowerShell callback spawned from control.exe (spawned from sdclt.exe). The event was correlated to a parent General detection for a suspicious Windows script. [1]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the system was interrogated and the Registry key could not be found indicating it had been deleted, so it is identified as Host Interrogation. [1]
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe
Windows Management Instrumentation
(T1047)
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "Potential Code Execution via WMI-based PowerShell Cmdlet" was generated for PowerShell using WMI. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Technique (Alert, Correlated)
A Technique alert detection (medium severity) for "Suspicious Execution via WMI" was generated for PowerShell using WMI. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Technique (Correlated)
A Technique detection for "ATT&CK T1047 Windows Management Instrumentation" was generated for PowerShell using WMI. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed WmiPrvSE.exe executing powershell.exe. The detection was correlated to a parent alert for a suspicious Windows script. [1]
14.B.2
Enumerated and tracked PowerShell processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "Process Discovery via WMI" was generated for PowerShell executing Get-Process. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent alert for a suspicious Windows script. [1]
14.B.3
Downloaded and dropped Mimikatz (m.exe) to disk powershell.exe downloading and/or the file write of m.exe
Remote File Copy
(T1105)
General (Alert, Correlated)
A General alert detection (medium severity) for "Suspicious Download Command via PowerShell" was generated for the PowerShell command to download m.exe. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed the file write event for m.exe into the System32 folder. The detection was correlated to a parent alert for a suspicious Windows script. [1]
14.B.4
Dumped plaintext credentials using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)
Technique (Alert, Correlated)
A Technique alert detection (high severity) for "Credential Dumping" was generated for the execution of m.exe executing with command-line arguments indicative of Mimikatz credential dumping. The detection was correlated to a parent alert for a suspicious Windows script. [1] [2]
14.B.5
Encoded and wrote Mimikatz output to a WMI class property using PowerShell powershell.exe executing Set-WmiInstance
Obfuscated Files or Information
(T1027)
Technique (Configuration Change (Detections), Correlated)
A Technique detection for "ATT&CK T1027 Obfuscated Files or Information" was generated for PowerShell executing Set-WmiInstance. The detection was correlated to a parent alert for a suspicious Windows script.