Home  >  APT29  >  Results  >  Elastic  >  Lateral Movement

Tactic Results: Lateral Movement (TA0008) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Pass the Ticket
(T1097)
Created Kerberos Golden Ticket using Invoke-Mimikatz
powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
20.B.1
General (Alert)
A General alert detection (medium severity) for "Credential Access via PowerShell Cmdlets" was generated for PowerShell executing Invoke-Mimikatz. [1]
Windows Remote Management
(T1028)
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
8.A.2
Technique (Correlated, Alert)
A Technique alert detection (orange indicator; medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for the user Pam invoking a WMI PowerShell cmdlet. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The event was correlated to a parent General detection for malicious file execution. [1]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
16.C.1
Technique (Alert, Correlated)
A Technique alert detection (medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for WMI invoked on another host via a PowerShell WMI cmdlet. The detection was correlated to a parent alert for a suspicious Windows script. [1]
General (Alert)
A General alert detection (medium severity) for "First Seen Process in an Environment" was generated for the execution of the WinRM process (wsmprovhost.exe). [1]
Telemetry (Correlated)
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
20.B.2
Technique (Alert)
A Technique alert detection (medium severity) for "WMI Lateral Movement via PowerShell over WinRM" was generated for PowerShell executing on a remote host over WinRM. [1]
Telemetry
Telemetry showed PowerShell with an open network connection to the remote host Scranton (10.0.1.4) over port 5985. [1]
Remote File Copy
(T1105)
Dropped stage 2 payload (monkey.png) to disk
The rcs.3aka3.doc process creating the file monkey.png
3.A.1
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The event was correlated to a parent General detection for malicious file execution. [1]
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
powershell.exe creating the file SysinternalsSuite.zip
4.A.1
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for malicious file execution. [1]
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
The file python.exe created on Scranton (10.0.1.4)
8.B.1
General (Alert)
A General alert detection (high severity; red indicator) was generated for the malicious file create event of python.exe. [1]
Telemetry
Telemetry showed a file create event of python.exe. [1]
Dropped rar.exe to disk on remote host Scranton (10.0.1.4) 
python.exe creating the file rar.exe
9.A.1
Telemetry (Correlated)
Telemetry showed file created event for python.exe creating rar.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4) 
python.exe creating the file sdelete64.exe
9.A.2
Telemetry (Correlated)
Telemetry showed File Created event for python.exe creating sdelete64.exe. This event was correlated to a Technique detection for the creation of psexesvc.exe. [1]
Downloaded and dropped Mimikatz (m.exe) to disk
powershell.exe downloading and/or the file write of m.exe
14.B.3
General (Alert, Correlated)
A General alert detection (medium severity) for "Suspicious Download Command via PowerShell" was generated for the PowerShell command to download m.exe. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed the file write event for m.exe into the System32 folder. The detection was correlated to a parent alert for a suspicious Windows script. [1]
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection
File write of m.exe by the WinRM process (wsmprovhost.exe)
16.D.1
General (Correlated, Alert)
A General alert detection (red indicator) was generated for the creation of a malicious file (m.exe). The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]
Telemetry (Correlated)
Telemetry showed a file write event for m.exe in the System32 directory by wsmprovhost.exe. The detection was correlated to a parent alert for the "First Seen Process in an Environment". [1]
Windows Admin Shares
(T1077)
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
8.C.2
Telemetry (Correlated)
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert for malicious file execution. [1]