Home  >  APT29  >  Results  >  Elastic  >  Execution

Tactic Results: Execution (TA0002) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Windows Remote Management
(T1028)
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
8.A.2
Technique (Correlated, Alert)
A Technique alert detection (orange indicator; medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for the user Pam invoking a WMI PowerShell cmdlet. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The event was correlated to a parent General detection for malicious file execution. [1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
16.C.1
Technique (Alert, Correlated)
A Technique alert detection (medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for WMI invoked on another host via a PowerShell WMI cmdlet. The detection was correlated to a parent alert for a suspicious Windows script. [1]
General (Alert)
A General alert detection (medium severity) for "First Seen Process in an Environment" was generated for the execution of the WinRM process (wsmprovhost.exe). [1]
Telemetry (Correlated)
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
20.B.2
Technique (Alert)
A Technique alert detection (medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for PowerShell executing on a remote host over WinRM. [1]
Telemetry
Telemetry showed PowerShell with an open network connection to the remote host Scranton (10.0.1.4) over port 5985. [1]
PowerShell
(T1086)
Spawned interactive powershell.exe
powershell.exe spawning from cmd.exe
1.B.2
Technique (Correlated)
A Technique detection called "ATT&CK T1086 PowerShell" was generated for the execution of PowerShell. The event was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe executing powershell.exe. The telemetry was correlated to a parent alert for malicious file execution. [1]
Spawned interactive powershell.exe
powershell.exe spawning from powershell.exe
4.A.2
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1086 Powershell" was generated when powershell.exe spawned. The detection was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for malicious file execution. [1]
Spawned interactive powershell.exe
powershell.exe​ spawning from python.exe
9.B.1
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "T1086 PowerShell" was generated due to powershell.exe executing. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1] [2]
Telemetry
Telemetery showed python.exe executing powershell.exe. [1]
Executed PowerShell stager payload
powershell.exe spawning from from the schemas ADS (powershell.exe)
11.A.12
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executed with unusual arguments. [1]
Technique (Alert)
A Technique alert detection (medium severity) was generated for powershell.exe executing an obfuscated command. [1]
Technique
A Technique detection for "ATT&CK T1086 PowerShell" was generated for powershell.exe spawned from a PowerShell stager. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
Executed PowerShell payload from WMI event subscription persistence
SYSTEM-level powershell.exe spawned from the powershell.exe
20.A.3
Technique (Alert)
A Technique alert detection (orange, medium severity) for "PowerShell with Unusual Arguments" was generated for the execution of PowerShell. [1]
Technique
A Technique detection for "ATT&CK T1085 PowerShell" was generated due to the execution of PowerShell. [1]
Telemetry
Telemetry showed powershell.exe spawned from WMI event subscription (wmiprvse.exe) as SYSTEM. [1]
Service Execution
(T1035)
Executed python.exe using PSExec
python.exe spawned by PSEXESVC.exe
8.C.3
Technique (Correlated, Alert)
A Technique alert detection (high severity) for "ATT&CK T1035 Service Execution" for PsExec64.exe calling the CreateServiceW API. The detection was correlated to a parent alert for malicious file execution. [1]
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "Service Creation/Modification" was generated due to PsExec64.exe creating the psexesvc.exe service. [1]
Telemetry (Correlated)
Telemetry showed PSEXESVC.exe executing python.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]
Executed persistent service (javamtsup) on system startup
javamtsup.exe spawning from services.exe
10.A.1
None
No detection capability demonstrated for this procedure.
Rundll32
(T1085)
Executed Run key persistence payload on user login using RunDll32
rundll32.exe executing kxwn.lock
20.A.1
Technique (Alert)
A Technique alert detection (medium severity) for "RunDLL32 with Suspicious DLL Location" was generated for rundll32.exe executing kxwn.lock. [1]
Telemetry
Telemetry showed rundll32.exe executing kxwn.lock. [1]
Command-Line Interface
(T1059)
Spawned interactive cmd.exe
cmd.exe spawning from the rcs.3aka3.doc​ process
1.B.1
General (Configuration Change (Detections), Alert, Correlated)
A General alert detection (medium severity) was generated for a "Suspicious Parent of Built-in Shells." The detection was correlated to a parent alert for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka.doc spawning cmd.exe. The telemetry was correlated to a parent alert for malicious file execution. [1]
Windows Management Instrumentation
(T1047)
Created and executed a WMI class using PowerShell
WMI Process (WmiPrvSE.exe) executing powershell.exe
14.B.1
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "Potential Code Execution via WMI-based PowerShell Cmdlet" was generated for PowerShell using WMI. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Technique (Alert, Correlated)
A Technique alert detection (medium severity) for "Suspicious Execution via WMI" was generated for PowerShell using WMI. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Technique (Correlated)
A Technique detection for "ATT&CK T1047 Windows Management Instrumentation" was generated for PowerShell using WMI. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed WmiPrvSE.exe executing powershell.exe. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Execution through API
(T1106)
Executed API call by reflectively loading Netapi32.dll
The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
4.C.10
Telemetry (Configuration Change (Detections))
Telemetry showed Netapi32.dll loaded into powershell.exe. [1] [2]
Executed API call by reflectively loading Netapi32.dll
The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
4.C.12
Telemetry (Configuration Change (Detections))
Telemetry showed Netapi32.dll loaded into powershell.exe. [1] [2]
Executed PowerShell payload via the CreateProcessWithToken API
hostui.exe executing the CreateProcessWithToken API
10.B.2
Telemetry (Correlated)
Telemetry showed hostui.exe executing powershell.exe via CreateProcessWithTokenW. This event was correlated to a General detection for the execution of a malicious file. [1]
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
16.B.2
Telemetry (Correlated)
Telemetry showed PowerShell reflectively loading Advapi32.dll inorder to execute the ConvertSidToStringSid API function. The detection was correlated to a parent alert for a suspicious Windows script. [1]
User Execution
(T1204)
User Pam executed payload rcs.3aka3.doc
The rcs.3aka3.doc process spawning from explorer.exe
1.A.1
General (Alert)
A General alert detection (high severity) was generated for the execution of a malicious file (rcs.3aka3.doc). [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk
powershell.exe spawning from explorer.exe
11.A.1
General (Alert)
A General alert detection (medium severity) was generated for "Suspicious Windows Script from Parent Process" for explorer.exe executing powershell.exe. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]