Home  >  APT29  >  Results  >  Elastic  >  Defense Evasion

Tactic Results: Defense Evasion (TA0005) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Deobfuscate/Decode Files or Information
(T1140)
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
powershell.exe executing Expand-Archive
4.A.3
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive. The detection was correlated to a parent alert for malicious file execution. [1]
Decoded an embedded DLL payload to disk using certutil.exe
certutil.exe decoding kxwn.lock
11.A.10
Technique (Alert)
A Technique alert detection (high severity) for "ATT&CK T1140 Deobfuscate/Decode Files or Information" was generated for certutil.exe encoding or decoding files. [1] [2]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1] [2]
Read and decoded Mimikatz output from a WMI class property using PowerShell
powershell.exe executing Get-WmiInstance
14.B.6
Telemetry (Correlated)
Telemetry showed PowerShell reading encoded content from the WMI class. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Component Object Model Hijacking
(T1122)
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
3.B.1
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique detection (red label) for "Registry Preparation of UAC Bypass" was generated due to the addition of the DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. [1]
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell
Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
14.A.1
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry value. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Timestomp
(T1099)
Modified the time attributes of the kxwn.lock persistence payload using PowerShell
powershell.exe modifying the creation, last access, and last write times of kxwn.lock
12.A.2
Technique (Alert, Correlated)
A Technique alert detection (low severity) for "Timestomping" was generated for the modification of the timestamp of kxwn.lock. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "ATT&CK T1099 Timestomp" was generated for PowerShell calling the NtSetInformationFile API. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed the modification of the timestamp of kxwn.lock, as well as the contents of the timestomp function. The event was correlated to a parent General detection for a suspicious Windows script. [1] [2]
Access Token Manipulation
(T1134)
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
10.B.3
Telemetry (Correlated)
Telemetry showed hostui.exe manipulating powershell.exe token via CreateProcessWithTokenW and that the authentication ID was that of explorer.exe. This event was correlated to a General detection for the execution of a malicious file. [1]
Web Service
(T1102)
Mapped a network drive to an online OneDrive account using PowerShell
net.exe with command-line arguments then making a network connection to a public IP over port 443
18.A.1
General (Alert, Correlated)
A General alert detection (medium severity) for "Accessing Windows Network Shares" was generated for net.exe with command-line arguments. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed net.exe with command-line arguments to connect to a OneDrive URL as well as net.exe subsequently making a network connection to public IPs over port 443. The detection was correlated to a parent alert for a suspicious Windows script. [1] [2]
Masquerading
(T1036)
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
1.A.2
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) for "Process with Left-to-Right Encoding Character " was generated for rcs.3aka3.doc execution. [1]
Telemetry
Telemetry showed the file type .doc was an executable, and that the filename included the unicode character for RTLO. [1]
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool
Evidence that accesscheck.exe is not the legitimate Sysinternals tool
6.A.3
General (Correlated, Alert)
A General alert detection (high severity; red indicator) for "Malicious File" was generated for accesschk.exe execution. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent General detection for malicious file execution. [1]
Obfuscated Files or Information
(T1027)
Embedded PowerShell payload in monkey.png using steganography
Evidence that a PowerShell payload was within monkey.png
3.A.2
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The event was correlated to a parent General detection for malicious file execution. [1]
Encoded and wrote Mimikatz output to a WMI class property using PowerShell
powershell.exe executing Set-WmiInstance
14.B.5
Technique (Configuration Change (Detections), Correlated)
A Technique detection for "ATT&CK T1027 Obfuscated Files or Information" was generated for PowerShell executing Set-WmiInstance. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed PowerShell writing encoded content into the WMI class. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Prepended the GIF file header to a compressed staging file using PowerShell
powershell.exe executing Set-Content
17.C.2
Telemetry (Correlated)
Telemetry showed PowerShell appending the GIF file header to the compressed file. The detection was correlated to a parent alert for a suspicious Windows script. [1]
NTFS File Attributes
(T1096)
Executed an alternate data stream (ADS) using PowerShell
powershell.exe executing the schemas ADS via Get-Content and IEX
11.A.2
Technique (Alert)
A Technique alert detection (low severity) for "Suspicious Read from Alternate Data Streams (ADS)" was generated for powershell.exe accessing an NTFS ADS. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
Process Injection
(T1055)
Reflectively injected SDelete binary into PowerShell
Injection into PowerShell via Invoke-ReflectivePEInjection
19.A.2
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Reflectively injected SDelete binary into PowerShell
Injection into PowerShell via Invoke-ReflectivePEInjection
19.B.2
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Reflectively injected SDelete binary into PowerShell
Injection into PowerShell via Invoke-ReflectivePEInjection
19.C.2
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Valid Accounts
(T1078)
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
Successful logon as user Pam on Scranton (10.0.1.4)
8.C.1
Telemetry
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott 
Successful logon as user MScott on NewYork (10.0.0.4)
16.C.2
Telemetry
Telemetry showed a successful logon on NewYork (10.0.0.4) as user MScott. [1]
Modify Registry
(T1112)
Modified the Registry to remove artifacts of COM hijacking
Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
3.C.1
Telemetry (Correlated)
Telemetry showed PowerShell command to remove DelegateExecute Registry Value. The event was correlated to a parent General detection for malicious file execution. [1]
Modified the Registry to remove artifacts of COM hijacking using PowerShell
Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
14.A.3
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the system was interrogated and the Registry key could not be found indicating it had been deleted, so it is identified as Host Interrogation. [1]
Software Packing
(T1045)
python.exe payload was packed with UPX
Evidence that the file python.exe is packed
8.B.2
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though python.exe was manually recovered from the system by the analyst, and it was identified as UPX packed. This is identified as Host Interrogation. [1] [2]
File Deletion
(T1107)
Deleted rcs.3aka3.doc on disk using SDelete
sdelete64.exe deleting the file rcs.3aka3.doc
4.B.2
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted Draft.zip on disk using SDelete
sdelete64.exe deleting the file draft.zip
4.B.3
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted SysinternalsSuite.zip on disk using SDelete
sdelete64.exe deleting the file SysinternalsSuite.zip
4.B.4
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for malicious file execution. [1]
Deleted rar.exe on disk using SDelete
sdelete64.exe deleting the file rar.exe
9.C.1
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted working.zip (from Desktop) on disk using SDelete
sdelete64.exe deleting the file \Desktop\working.zip
9.C.2
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1]
Deleted working.zip (from AppData directory) on disk using SDelete
sdelete64.exe deleting the file \AppData\Roaming\working.zip
9.C.3
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1107 File Deletion" was generated when sdelete64.exe made a NtSetInformationFile API call deleting Roaming\working.zip. This event was correlated to a Technique detection for the creation of psexesvc.exe. Configuration changes were made to increase detection capability, specifically additional API monitoring. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip.This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted SDelete on disk using cmd.exe del command
cmd.exe deleting the file sdelete64.exe
9.C.4
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1107 File Deletion" was generated when cmd.exe deleted sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe deleting sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Deleted Mimikatz (m.exe) on disk using SDelete
File delete event for C:\Windows\System32\m.exe
19.A.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted exfiltrated data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration.tmp
19.B.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
Deleted staged data on disk using SDelete
File delete event for C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
19.C.1
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.