Home  >  APT29  >  Results  >  FireEye  >  All Results

FireEye: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
Technique (Alert)
A Technique alert detection called "Execution from User Directory" was generated due to the rcs.3aka3.doc process executing from a user's desktop. [1]
General (Alert, Configuration Change (Detections))
A General alert detection was generated for a new application in AppCompat, indicating an application executing for the first time. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for user Pam executing rcs.3aka3.doc. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection called "RTL OVERRIDE ATTACK (METHODOLOGY)" was generated due to rcs.3aka3.doc containing a RTLO character with an MZ header value. [1]
General (Alert)
A General alert detection was generated for Generic.Exploit.Shellcode on rcs.3aka3.doc. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the RTLO character in rcs.3aka.doc. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection called "Uncommon Port Connection" was generated due to rcs.3aka3.doc connecting to remote port 1234. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
MSSP (Delayed (Manual))
An MSSP detection occurred for the rcs.3aka3.doc process using rc4 encryption for network communication. [1]
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1] [2]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Technique (Alert)
A Technique alert detection called "CMD Execution" was generated due to cmd.exe spawning from rcs.3aka3.doc. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for cmd.exe spawning from rcs.3aka3.doc​. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc spawning from cmd.exe​. This was correlated to a parent alert on rcs.3aka3.doc. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection called "PowerShell Execution" was generated due to powershell.exe spawning from cmd.exe. [1]
General (Alert)
A General alert detection was generated for cmd.exe spawning a child process. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe spawning from cmd.exe. [1]
Telemetry
Telemetry showed powershell.exe spawning from cmd.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe executing ChildItem. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe executing ChildItem. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection called "ZIP Archive Created - T1002" was generated due to Draft.zip being identified as compressed. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe compressing via Compress-Archive. [1]
Telemetry
Telemetry showed powershell.exe compressing via Compress-Archive. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
General (Alert)
A General alert detection was generated for file creation of Draft.zip [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for the file creation of Draft.zip. [1]
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. This was correlated to prior a detection of the parent PowerShell process. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
General (Alert, Configuration Change (Detections))
A General alert detection called "User Directory File Write" was generated due to the file monkey.png being written to the user's desktop. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of rcs.3aka3.doc creating the monkey.png. [1]
Telemetry
Telemetry showed rcs.3aka3.doc creating monkey.png. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the PowerShell script contained within monkey.png. [1]
Telemetry
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
MSSP (Delayed (Manual))
An MSSP detection occurred for the addition of the DelegateExecute Registry Value. [1]
Telemetry
Telemetry showed the addition of the DelegateExecute Registry Value. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert)
A Technique alert detection called "Sdclt Child Process" was generated due to sdclt.exe spawning control.exe. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for a new high integrity PowerShell callback spawned from control.exe​​. [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
General (Alert)
A General detection was generated for PowerShell making a network connection. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe connecting to 192.168.0.5 on TCP 443. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None (Residual Artifact)
No detection capability demonstrated for this procedure, though process memory for the PowerShell process indicated the data exchange was over HTTPS. [1]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None (Residual Artifact)
No detection capability demonstrated for this procedure, though process memory for the PowerShell process indicated the data exchange was over HTTPS. [1]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
A MSSP detection occurred for the Deletion of the registry value. [1]
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. This was correlated with a prior detection of the PowerShell parent process. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
General (Alert)
A General alert detection was generated for a ZIP archive being written to disk. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of file write of the ZIP by PowerShell. [1]
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for a PowerShell process. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection called "PowerShell Execution" was generated due to the execution of powershell.exe, which was used to execute powershell.exe. [1]
General (Alert)
A General alert detection for PowerShell child process was generated for powershell.exe spawning a child process. [1]
Telemetry
Telemetry showed a new powershell.exe spawning from powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
General (Alert)
A General alert detection was generated for PowerShell file write. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe decompressing files via Expand-Archive. [1]
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The detection was correlated to a parent alert for a PowerShell process. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Get-Process. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution" was generated due to the execution of sdelete64.exe to delete rcs.3aka3.doc. [1]
General (Alert)
A General alert detection was generated for powershell.exe creating the sdelete64.exe child process. [1] [2]
General (Alert)
A General alert detection was generated for the execution of a Sysinternals utility. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting the file. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution" was generated due to the execution of sdelete64.exe to delete Draft.zip. [1]
General (Alert)
A General alert detection was generated for powershell.exe creating the sdelete64.exe child process. [1] [2]
General (Alert)
A General alert detection was generated for the execution of a Sysinternals utility. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.zip. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution" was generated due to the execution of sdelete64.exe to delete SysinternalsSuite.zip. [1]
General (Alert)
A General alert detection was generated for powershell.exe creating the sdelete64.exe child process. [1] [2]
General (Alert)
A General alert detection was generated for the execution of a Sysinternals utility. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: $env:TEMP. [1]
Telemetry
Telemetry showed powershell.exe executing: $env:TEMP. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: $env:USERNAME. [1]
Telemetry
Telemetry showed powershell.exe executing: $env:USERNAME. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: $env:COMPUTERNAME. [1]
Telemetry
Telemetry showed powershell.exe executing: $env:COMPUTERNAME. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: $env:USERDOMAIN. [1]
Telemetry
Telemetry showed powershell.exe executing: $env:USERDOMAIN. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: $PID. [1]
Telemetry
Telemetry showed powershell.exe executing: $PID. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing:​ Gwmi Win32_OperatingSystem. [1] [2]
Telemetry
Telemetry showed powershell.exe executing:​ Gwmi Win32_OperatingSystem. [1]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing:​ Get-WmiObject ...​ -Class AntiVirusProduct. [1] [2]
Telemetry
Telemetry showed powershell.exe executing:​ Get-WmiObject ...​ -Class AntiVirusProduct. [1]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing: Get-WmiObject ...​​ -Class FireWallProduct. [1] [2]
Telemetry
Telemetry showed powershell.exe executing: Get-WmiObject ...​​ -Class FireWallProduct. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing the NetUserGetGroups API. [1]
Telemetry
Telemetry showed powershell.exe executing the NetUserGetGroups API. [1]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
General (Alert, Configuration Change (Detections))
A General alert detection was generated for PowerShell loading Netapi32.dll. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the NetUserGetGroups API function loaded into PowerShell from Netapi32.dll. [1]
Telemetry
Telemetry showed the NetUserGetGroups API function loaded into PowerShell from Netapi32.dll. [1]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing the NetUserGetLocalGroups API. [1]
Telemetry
Telemetry showed powershell.exe executing the NetUserGetLocalGroups API. [1]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
General (Alert, Configuration Change (Detections))
A General alert detection was generated for PowerShell loading Netapi32.dll. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the NetUserGetLocalGroups API function loaded into PowerShell from Netapi32.dll. [1]
Telemetry
Telemetry showed the NetUserGetLocalGroups API function loaded into PowerShell from Netapi32.dll. [1]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique (Alert)
A Technique alert detection called "Service Persistence" was generated due to the modification of Windows service Registry keys when the javamtsup service was created. [1] [2]
General (Alert)
A General alert detection was generated for javamtsup.exe being classified as malware. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the creation of the javamtsup service. [1]
Telemetry
Telemetry showed PowerShell created the new service javamtsup. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection called "Startup Folder Persistence" was generated due to the creation of a file in the Start Menu Startup folder. [1] [2]
General (Alert)
A General alert detection was generated due to a suspicious LNK file. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for the creation of the hostui.lnk file in the Startup folder. [1]
Telemetry (Correlated)
Telemetry showed PowerShell creating the hostui.lnk file in the Startup folder. The event was correlated to a parent detection for PowerShell. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure.
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
MSSP (Delayed (Manual))
An MSSP detection occurred for accesschk.exe making Windows API call: CryptUnprotectedData. [1]
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection called "Sysinternals Masquerade" was generated due to the process accesschk.exe executing without accepting the EULA. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred indicating that accesschk.exe is not the legitimate Sysinternals tool. [1]
Telemetry
Telemetry showed hash of accesschk.exe which can be used to verify it is not the legitimate Sysinternals tool. [1] [2]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Alert)
A Technique alert detection called "Private Key - T1145" was generated due to the creation of the $RandomFileName.pfx file. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for the creation of the $RandomFileName.pfx file. [1]
Telemetry
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
General
A General detection in Process Guard Watcher was generated due to powershell.exe injecting into lsass.exe. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection identified PowerShell injecting into the LSASS process. This activity was labeled as credential harvesting. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection called "PowerShell System.Drawing Load" was generated due to powershell.exe loading System.Drawing.ni.dll, indicating possible Screen Capture. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Invoke-ScreenCapture to capture screen shots. [1]
Telemetry
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. [1] [2]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Get-Clipboard. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Clipboard. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
General (Alert, Configuration Change (Detections))
A General alert detection called "PowerShell Loading User32.dll" was generated due to powershell.exe loading user32.dll, indicating possible Input Capture. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of keylogging. [1]
Telemetry
Telemetry showed PowerShell calling the GetAsyncKeyState API. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection called "7-Zip Archive Created" was generated due a 7-Zip file being written to disk. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the file create of OfficeSupplies.7z. [1] [2]
Telemetry (Correlated)
Telemetry showed the file write event for OfficeSupplies.7z. This detection was correlated to a parent alert on the parent PowerShell process. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence Invoke-Exfil was used to compress and encrypt data for exfiltration. [1]
Telemetry
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. [1]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
Technique (Alert)
A Technique alert detection called "WebDav Network Request" was generated due to a WebDav user-agent being used to PUT OfficeSupplies.7z on a WebDav network share. [1]
General (Alert)
A General alert detection was generated for the file write of OfficeSupplies.7z to a remote adversary WebDav network share (192.168.0.4). [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of OfficeSupplies.7z being uploaded to 192.168.0.4 using WebDav. [1]
Telemetry
Telemetry showed PoweShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
General (Alert)
A General alert detection was generated for LDAP connection from Nashua (10.0.1.6) to NewYork (10.0.0.4) over port 389. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell being used to enumerate Active Directory hosts. [1]
Telemetry
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Alert)
A Technique alert detection called "WinRM Network Connection" was generated due to a connection to remote host Scranton (10.0.1.4) over port 5985. [1]
General (Alert)
A General alert detection was generated for PowerShell making a URL request, which contained indications the network connection was using WinRM. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the WinRM connection to remote host Scranton (10.0.1.4) over port 5985. [1] [2]
Telemetry
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe executing Get-Process. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Technique (Alert)
A Technique alert detection called "File Write to Network Share" was generated due to a file write event for python.exe to a remote network share. [1]
Technique (Alert)
A Technique alert detection called "WebDav Network Request" was generated due to a WebDav user-agent used to GET python.exe from a WebDav network share. [1]
General (Alert)
A General alert detection was generated for classifying python.exe as malware, which also showed it was written by PowerShell to a remote network share. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection showed the file write event of python.exe. [1]
Telemetry
Telemetry showed the file write event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload. [1]
Telemetry
Telemetry showed that python.exe had entropy, indicating the file was packed. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the successful logon of Pam on Scranton (10.0.1.4). [1] [2]
Telemetry
Telemetry showed an account logged on to Scranton (10.0.1.4) as user Pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
General (Alert)
A General alert detection was generated for network traffic from Nashua (10.0.1.6) to Scranton (10.0.1.4) over a port associated with DCOM RPC traffic. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445. [1]
Telemetry
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection called "PsExec Execution" was generated due to PSEXESVC.exe spawning the child process python.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of python.exe being spawned by PSEXESVC.exe. [1] [2]
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
General (Alert, Configuration Change (Detections))
A General alert detection called "Temp Directory PE Write" was generated due to python.exe writing rar.exe to C:\Windows\Temp. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for python.exe creating rar.exe. [1]
Telemetry
Telemetry showed file write event for python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
General (Alert, Configuration Change (Detections))
A General alert detection called "Temp Directory PE Write" was generated due to python.exe writing sdelete64.exe to C:\Windows\Temp. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for python.exe creating sdelete64.exe. [1]
Telemetry
Telemetry showed File Write event for python.exe creating sdelete64.exe [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection called "PowerShell Execution" was generated due to python.exe spawning powershell.exe. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for python.exe executing powershell.exe. [1]
Telemetry (Correlated)
Telemetery showed python.exe executing powershell.exe. This event was correlated to prior detection for the python.exe process. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing ChildItem. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing ChildItem. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Technique (Alert)
A Technique alert detection called "ZIP Archive Created" "T1074" was generated due to the file creation of the ZIP file working.zip. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection occurred for file create of working.zip. [1]
Telemetry
Telemetry showed a file create event for working.zip. The logic for this detection was enabled after the start of the evaluation so the detection is identified as a Detection Configuration Change.
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Technique (Alert)
A Technique alert detection called "Encrypted RAR Archive Command" "T1022" was generated when rar.exe used "-hp" command-line arguments. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of execution of rar.exe with command line arguments to encrypt working.zip. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection called "Rar Execution" "T1002" was generated when powershell.exe executed rar.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of execution of rar.exe with command line arguments to compress working.zip. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution T1107" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of rar.exe. [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of Desktop\working.zip. [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "Sdelete Command Execution T1107" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of Roaming\working.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. This event was correlated to a prior detection on the python.exe parent process. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1] [2]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure.
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence user Oscar executed 37486-the-shockingtruth-about-election-rigging-in-america.rtf.lnk. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Technique (Alert)
A Technique alert detection called "ADS Code Exec (Methodology)" was generated due to PowerShell's use of command-line arguments associated with executing alternate data streams. [1]
General (Alert)
A General alert detection was generated for suspicious usage of PowerShell's Get-Content command. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of PowerShell executing schemas ADS via Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
MSSP (Delayed (Manual))