Home  >  APT29  >  Results  >  Malwarebytes  >  All Results

Malwarebytes: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
Telemetry (Configuration Change (Detections))
Telemetry showed explorer.exe executing rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (medium severity) for Masquerading was generated due to rcs.3aka.doc having a .doc extension but running as an executable. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. The telemetry was correlated to a parent detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed powershell.exe spawning from cmd.exe. The telemetry was correlated to a parent detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
None
No detection capability demonstrated for this procedure.
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed PowerShell creating a compressed archive. The event was correlated to a parent Technique detection for Masquerading on rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Technique (Alert, Correlated, Configuration Change (Detections))
A Technique alert detection (low severity) for Data Staged was generated due the creation of Draft.Zip. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed rcs.3aka3.doc writing monkey.png. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Expanding technique detection for Masquerading for rcs.3aka3.doc shows file write of monkey.png. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
None
No detection capability demonstrated for this procedure.
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
None
No detection capability demonstrated for this procedure.
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
None
No detection capability demonstrated for this procedure.
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
General (Alert, Configuration Change (Detections))
A General alert detection (low severity) was generated due to PowerShell creating a compressed archive. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent Technique detection for Masquerading for rcs.3aka3.doc. Exiting event details shows correlation of detections. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed PowerShell writing the files that were decompressed from the ZIP. The detection was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert, Correlated, Configuration Change (Detections))
A Technique alert detection (low severity) for File Deletion was generated due to sdelete.exe deleting ?cod.3aka3.scr. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Exiting event details shows correlation of detections. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Correlated, Alert, Configuration Change (Detections))
A Technique alert detection (low severity) for File Deletion was generated due to sdelete.exe deleting Draft.Zip. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Correlated, Alert, Configuration Change (Detections))
A Technique alert detection (low severity) for File Deletion was generated due to sdelete.exe deleting SysinternalsSuite.zip. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Exiting event details shows correlation of detections. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed sdelete.exe running with command-line arguments to delete the file . The detection was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure.
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
None
No detection capability demonstrated for this procedure.
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert, Correlated, Configuration Change (Detections))
A Technique alert detection (medium severity) for Registry Run Keys/Startup Folder was generated due to the creation of hostui.lnk in the StartUp folder. The event was correlated to a parent Technique detection for masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1] [2]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure.
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed hash of accesschk.exe, which can be used to verify it is not the legitimate Sysinternals tool. The event was correlated to a parent Technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The event was correlated to a parent Technique detection for Masquerading on rcs.3aka3.doc. Exiting event details shows correlation of detections. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
None
No detection capability demonstrated for this procedure.
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
None
No detection capability demonstrated for this procedure.
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
None
No detection capability demonstrated for this procedure.
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed the file create event for OfficeSupplies.7z. The event was correlated to a parent technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
None
No detection capability demonstrated for this procedure.
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
None
No detection capability demonstrated for this procedure.
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
None
No detection capability demonstrated for this procedure.
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique alert detection (medium severity) for Remote File Copy was generated due to the creation of python.exe. The event was correlated to a parent Technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1] [2]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
None
No detection capability demonstrated for this procedure.
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
None
No detection capability demonstrated for this procedure.
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert, Correlated, Configuration Change (Detections))
A Technique alert detection (medium severity) for Windows Admin Shares was generated due to PSEXEC connecting to Scranton's IPC$ share. The event was correlated to a parent Technique detection for Masquerading for rcs.3aka3.doc. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. Exiting event details shows correlation of detections. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
None
No detection capability demonstrated for this procedure.
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
None
No detection capability demonstrated for this procedure.
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
None
No detection capability demonstrated for this procedure.
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
None
No detection capability demonstrated for this procedure.
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
None
No detection capability demonstrated for this procedure.
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure.
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Telemetry (Configuration Change (Detections))
Telemetry showed explorer.exe executing powershell.exe. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Telemetry (Configuration Change (Detections))
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
None
No detection capability demonstrated for this procedure.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
None
No detection capability demonstrated for this procedure.
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure.
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Telemetry (Configuration Change (Detections))
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (low severity) for Registry Run Keys/Startup Folder was generated due to the addition of the Run key persistence into the Registry. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (medium severity) for PowerShell was generated due to a suspicious PowerShell command. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
None
No detection capability demonstrated for this procedure.
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
None
No detection capability demonstrated for this procedure.
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
None
No detection capability demonstrated for this procedure.
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure.
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
None
No detection capability demonstrated for this procedure.
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
None
No detection capability demonstrated for this procedure.
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
None
No detection capability demonstrated for this procedure.
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe
Windows Management Instrumentation
(T1047)
None
No detection capability demonstrated for this procedure.
14.B.2
Enumerated and tracked PowerShell processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
14.B.3
Downloaded and dropped Mimikatz (m.exe) to disk powershell.exe downloading and/or the file write of m.exe
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
14.B.4
Dumped plaintext credentials using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (medium severity) for "Credential Dumping" was generated due to m.exe executing with command-line arguments indicative of Mimikatz credential dumping. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
14.B.5
Encoded and wrote Mimikatz output to a WMI class property using PowerShell powershell.exe executing Set-WmiInstance
Obfuscated Files or Information
(T1027)
None
No detection capability demonstrated for this procedure.
14.B.6
Read and decoded Mimikatz output from a WMI class property using PowerShell powershell.exe executing Get-WmiInstance
Deobfuscate/Decode Files or Information
(T1140)
None
No detection capability demonstrated for this procedure.
15.A.1
Enumerated logged on users using PowerShell powershell.exe executing $env:UserName
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
15.A.2
Established WMI event subscription persistence using PowerShell powershell.exe creating the WindowsParentalControlMigration WMI filter, consumer, and binding created in root/subscription
Windows Management Instrumentation Event Subscription
(T1084)
None
No detection capability demonstrated for this procedure.
16.A.1
Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll
Remote System Discovery
(T1018)
None
No detection capability demonstrated for this procedure.
16.B.1
Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API powershell.exe executing the ConvertSidToStringSid API
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
16.B.2
Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll powershell.exe executing the ConvertSidToStringSid API function by loading Advapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
16.C.1
Established a WinRM connection to the domain controller host NewYork (10.0.0.4) Network connection to NewYork (10.0.0.4) over port 5985
Windows Remote Management
(T1028)
None
No detection capability demonstrated for this procedure.
16.C.2
Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott  Successful logon as user MScott on NewYork (10.0.0.4)
Valid Accounts
(T1078)
None
No detection capability demonstrated for this procedure.
16.D.1
Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection File write of m.exe by the WinRM process (wsmprovhost.exe)
Remote File Copy
(T1105)
None
No detection capability demonstrated for this procedure.
16.D.2
Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe) m.exe injecting into lsass.exe to dump credentials
Credential Dumping
(T1003)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (medium severity) for credential dumping was generated for m.exe executing with command-line arguments indicative of Mimikatz credential dumping. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1] [2]
17.A.1
Dumped messages from the local Outlook inbox using PowerShell outlook.exe spawning from svchost.exe or powershell.exe
Email Collection
(T1114)
None
No detection capability demonstrated for this procedure.
17.B.1
Read and collected a local file using PowerShell powershell.exe reading the file MITRE-ATTACK-EVALS.HTML
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
17.B.2
Staged collected file into directory using PowerShell powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
Data Staged
(T1074)
None
No detection capability demonstrated for this procedure.
17.C.1
Compressed a staging directory using PowerShell powershell.exe executing the ZipFile.CreateFromDirectory .NET method
Data Compressed
(T1002)
None
No detection capability demonstrated for this procedure.
17.C.2
Prepended the GIF file header to a compressed staging file using PowerShell powershell.exe executing Set-Content
Obfuscated Files or Information
(T1027)
None
No detection capability demonstrated for this procedure.
18.A.1
Mapped a network drive to an online OneDrive account using PowerShell net.exe with command-line arguments then making a network connection to a public IP over port 443
Web Service
(T1102)
General (Alert, Configuration Change (Detections))
A General alert detection for a "data gathering PowerShell command" was generated for net.exe with command-line arguments to connect to a OneDrive URL. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
18.A.2
Exfiltrated staged collection to an online OneDrive account using PowerShell powershell.exe executing Copy-Item pointing to drive mapped to an attack-controlled OneDrive account
Exfiltration Over Alternative Protocol
(T1048)
None
No detection capability demonstrated for this procedure. Network data collection was not active at the time of the evaluation due to ongoing product enhancements.
19.A.1
Deleted Mimikatz (m.exe) on disk using SDelete File delete event for C:\Windows\System32\m.exe
File Deletion
(T1107)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
19.A.2
Reflectively injected SDelete binary into PowerShell Injection into PowerShell via Invoke-ReflectivePEInjection
Process Injection
(T1055)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
19.B.1
Deleted exfiltrated data on disk using SDelete File delete event for C:\Windows\Temp\WindowsParentalControlMigration.tmp
File Deletion
(T1107)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
19.B.2
Reflectively injected SDelete binary into PowerShell Injection into PowerShell via Invoke-ReflectivePEInjection
Process Injection
(T1055)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
19.C.1
Deleted staged data on disk using SDelete File delete event for C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML
File Deletion
(T1107)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
19.C.2
Reflectively injected SDelete binary into PowerShell Injection into PowerShell via Invoke-ReflectivePEInjection
Process Injection
(T1055)
N/A
Due to execution inconsistencies Step 19 has been omitted from the evaluation results.
20.A.1
Executed Run key persistence payload on user login using RunDll32 rundll32.exe executing kxwn.lock
Rundll32
(T1085)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) called "rundll32 abuse" was generated due to rundll32.exe executing kxwn.lock. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
20.A.2
Executed WMI persistence on user login The WMI process (wmiprvse.exe) executing powershell.exe
Windows Management Instrumentation Event Subscription
(T1084)
Telemetry (Configuration Change (Detections))
Telemetry showed wmiprvse.exe executing the PowerShell stager. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
20.A.3
Executed PowerShell payload from WMI event subscription persistence SYSTEM-level powershell.exe spawned from the powershell.exe
PowerShell
(T1086)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection (medium severity) was generated due to a suspicious PowerShell command. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
20.B.1
Created Kerberos Golden Ticket using Invoke-Mimikatz powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket
Pass the Ticket
(T1097)
None
No detection capability demonstrated for this procedure.
20.B.2
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
None
No detection capability demonstrated for this procedure.
20.B.3
Added a new user to the remote host Scranton (10.0.1.4) using net.exe net.exe adding the user Toby
Create Account
(T1136)
Technique (Alert, Configuration Change (Detections))
A Technique alert detection for account creation was generated for net.exe executing with the command-line arguments to add the new user Toby. Updates to detections and logging were enabled after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]