Home  >  APT29  >  Results  >  Elastic  >  Persistence

Tactic Results: Persistence (TA0003) Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Technique
Procedures Criteria Step
Detection Type Detection Notes
Create Account
(T1136)
Added a new user to the remote host Scranton (10.0.1.4) using net.exe
net.exe adding the user Toby
20.B.3
Technique (Alert)
A Technique alert detection (medium severity) called "User Account Creation" was generated for the addition of the new user Toby. [1]
Telemetry
Telemetry showed wsmprovhost.exe spawning net.exe with the command-line arguments to add the new user Toby. [1]
Registry Run Keys / Startup Folder
(T1060)
Created a LNK file (hostui.lnk) in the Startup folder that executes on login
powershell.exe creating the file hostui.lnk in the Startup folder
5.B.1
Technique (Correlated, Alert)
A Technique alert detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution. [1]
General (Correlated, Alert)
A General alert detection (medium severity) for "Shortcut File Written by Suspicious Process" was generated due to powershell.exe creating hostui.lnk. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe creating the hostui.lnk file in the Startup folder. The event was correlated to a parent General detection for malicious file execution. [1]
Executed LNK payload (hostui.lnk) in Startup Folder on user login
Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
10.B.1
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1]
Established Registry Run key persistence using PowerShell
Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
11.A.11
Technique
A Technique detection for "ATT&CK T1060 Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry [1]
Windows Management Instrumentation Event Subscription
(T1084)
Established WMI event subscription persistence using PowerShell
powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
15.A.2
Technique (Correlated, Alert)
A Technique alert detection (medium severity) for "Windows Management Instrumentation Consumer Binding" was generated due to the modification a WMI filter. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Technique (Correlated)
A Technique detection for "ATT&CK T1084 Windows Management Instrumentation Event Subscription" was generated due to a PowerShell script containing WindowsParentalControlMigration. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Telemetry (Correlated)
Telemetry showed a PowerShell script containing WindowsParentalControlMigration. The event was correlated to a parent General detection for a suspicious Windows script. [1]
Executed WMI persistence on user login
The WMI process (wmiprvse.exe) executing powershell.exe
20.A.2
Technique
A Technique detection for "ATT&CK T1047 Windows Management Instrumentation" was generated for PowerShell being executed via WMI. [1]
Telemetry
Telemetry showed wmiprvse.exe executing powershell.exe. [1]
New Service
(T1050)
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup
powershell.exe creating the Javamtsup service
5.A.1
Technique (Correlated, Alert)
A Technique alert detection (low severity) for "Service Creation/Modification" was generated due to powershell.exe creating the javamtsup.exe service. The event was correlated to a parent General detection for malicious file execution. [1]
Telemetry (Correlated)
Telemetry showed PowerShell created the new service javamtsup. The event was correlated to a parent General detection for malicious file execution. [1]