Home  >  APT29  >  Results  >  Microsoft  >  Matrix


Microsoft Matrix Matrix Page Information

The ATT&CK matrix is a summary of the evaluation. The cells with dark text are the techniques in scope for the evaluation. Roll over a technique for a summary of how it was tested, including the procedure name, the step of the operational flow, and the detection types associated each procedure’s detection(s).

Detection types are defined in the legend. Within the rollover, adjoining detection types are a single detection, and whitespace separates different detections.

Example: The detection below, for the procedure WinRAR has two detections. The first detection is telemetry which was tainted. The second is a specific behavior.


Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE
Legend
Main Detection Categories:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment
Detection Modifiers:

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative

Matrix Summary

Greyed out techniques are out of scope for this evaluation.

Blue linked techniques are in scope for this evaluation.

Overview All Results JSON Legend
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcAccess Token ManipulationAccess Token Manipulation
Step Procedure Detection
10.B.3Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
1 Result(s)
Account ManipulationAccount DiscoveryAppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Step Procedure Detection
3.B.3Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443,
11.A.13Established C2 channel (192.168.0.4) via PowerShell payload over port 443
2 Result(s)
Exploit Public-Facing ApplicationCMSTPAccessibility FeaturesAccessibility FeaturesApplication Access TokenBash HistoryApplication Window DiscoveryApplication Access TokenAutomated Collection
Step Procedure Detection
2.A.2Scripted search of filesystem for document and media files using PowerShell ,
9.B.3Scripted search of filesystem for document and media files using PowerShell 
2 Result(s)
Data Compressed
Step Procedure Detection
2.A.4Compressed and stored files into ZIP (Draft.zip) using PowerShell,
7.B.2Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell
9.B.7Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe,
17.C.1Compressed a staging directory using PowerShell
4 Result(s)
Communication Through Removable Media
External Remote ServicesCommand-Line Interface
Step Procedure Detection
1.B.1Spawned interactive cmd.exe
1 Result(s)
Account ManipulationAppCert DLLsBITS JobsBrute ForceBrowser Bookmark DiscoveryApplication Deployment SoftwareClipboard Data
Step Procedure Detection
7.A.2Captured clipboard contents using PowerShell,
1 Result(s)
Data Encrypted
Step Procedure Detection
7.B.3Encrypted data from the user's Downloads directory using PowerShell
9.B.6Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe,
2 Result(s)
Connection Proxy
Hardware AdditionsCompiled HTML FileAppCert DLLsAppInit DLLsBinary PaddingCloud Instance Metadata APICloud Service DashboardComponent Object Model and Distributed COMData Staged
Step Procedure Detection
2.A.5Staged files for exfiltration into ZIP (Draft.zip) using PowerShell,
9.B.5Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell,
17.B.2Staged collected file into directory using PowerShell,
3 Result(s)
Data Transfer Size LimitsCustom Command and Control Protocol
Replication Through Removable MediaComponent Object Model and Distributed COMAppInit DLLsApplication ShimmingBypass User Account ControlCredential Dumping
Step Procedure Detection
6.A.2Executed the CryptUnprotectedData API call to decrypt Chrome passwords
6.C.1Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe,
14.B.4Dumped plaintext credentials using Mimikatz (m.exe), ,
16.D.2Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe), ,
4 Result(s)
Cloud Service DiscoveryExploitation of Remote ServicesData from Cloud Storage ObjectExfiltration Over Alternative Protocol
Step Procedure Detection
7.B.4Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell
18.A.2Exfiltrated staged collection to an online OneDrive account using PowerShell
2 Result(s)
Custom Cryptographic Protocol
Spearphishing AttachmentControl Panel ItemsApplication ShimmingBypass User Account Control
Step Procedure Detection
3.B.2Executed elevated PowerShell payload,
14.A.2Executed elevated PowerShell payload,
2 Result(s)
CMSTPCredentials from Web BrowsersDomain Trust DiscoveryInternal SpearphishingData from Information RepositoriesExfiltration Over Command and Control Channel
Step Procedure Detection
2.B.1Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234)
9.B.8Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443)
2 Result(s)
Data Encoding
Spearphishing LinkDynamic Data ExchangeAuthentication PackageDLL Search Order HijackingClear Command HistoryCredentials in Files
Step Procedure Detection
6.A.1Read the Chrome SQL database file to extract encrypted credentials
1 Result(s)
File and Directory Discovery
Step Procedure Detection
2.A.1Searched filesystem for document and media files using PowerShell ,
4.C.1Enumerated user's temporary directory path using PowerShell
9.B.2Searched filesystem for document and media files using PowerShell
11.A.9Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell,
12.A.1Enumerated the System32 directory using PowerShell, ,
5 Result(s)
Logon ScriptsData from Local System
Step Procedure Detection
2.A.3Recursively collected files found in C:\Users\Pam\ using PowerShell
7.B.1Read data in the user's Downloads directory using PowerShell
9.B.4Recursively collected files found in C:\Users\Pam\ using PowerShell
17.B.1Read and collected a local file using PowerShell
4 Result(s)
Exfiltration Over Other Network MediumData Obfuscation
Spearphishing via ServiceExecution through API
Step Procedure Detection
4.C.10Executed API call by reflectively loading Netapi32.dll
4.C.12Executed API call by reflectively loading Netapi32.dll
10.B.2Executed PowerShell payload via the CreateProcessWithToken API
16.B.2Executed the ConvertSidToStringSid API call by reflectively loading Advapi32.dll
4 Result(s)
BITS JobsDylib HijackingCode SigningCredentials in RegistryNetwork Service ScanningPass the HashData from Network Shared DriveExfiltration Over Physical MediumDomain Fronting
Supply Chain CompromiseExecution through Module LoadBootkitElevated Execution with PromptCompile After DeliveryExploitation for Credential AccessNetwork Share DiscoveryPass the Ticket
Step Procedure Detection
20.B.1Created Kerberos Golden Ticket using Invoke-Mimikatz
1 Result(s)
Data from Removable MediaScheduled TransferDomain Generation Algorithms
Trusted RelationshipExploitation for Client ExecutionBrowser ExtensionsEmondCompiled HTML FileForced AuthenticationNetwork SniffingRemote Desktop ProtocolEmail Collection
Step Procedure Detection
17.A.1Dumped messages from the local Outlook inbox using PowerShell,
1 Result(s)
Transfer Data to Cloud AccountFallback Channels
Valid AccountsGraphical User InterfaceChange Default File AssociationExploitation for Privilege EscalationComponent FirmwareHookingPassword Policy DiscoveryRemote File Copy
Step Procedure Detection
3.A.1Dropped stage 2 payload (monkey.png) to disk
4.A.1Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)
8.B.1Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
9.A.1Dropped rar.exe to disk on remote host Scranton (10.0.1.4) ,
9.A.2Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4) ,
14.B.3Downloaded and dropped Mimikatz (m.exe) to disk
16.D.1Dropped Mimikatz (m.exe) to disk on the domain controller host NewYork (10.0.0.4) over a WinRM connection,
7 Result(s)
Input Capture
Step Procedure Detection
7.A.3Captured user keystrokes using the GetAsyncKeyState API,
1 Result(s)
Multi-Stage Channels
InstallUtilComponent FirmwareExtra Window Memory InjectionComponent Object Model Hijacking
Step Procedure Detection
3.B.1Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell, ,
14.A.1Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell,
2 Result(s)
Input CapturePeripheral Device Discovery
Step Procedure Detection
11.A.5Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell,
1 Result(s)
Remote ServicesMan in the BrowserMulti-hop Proxy
LSASS DriverComponent Object Model HijackingFile System Permissions WeaknessConnection ProxyInput PromptPermission Groups Discovery
Step Procedure Detection
4.C.9Enumerated user's domain group membership via the NetUserGetGroups API,
4.C.11Enumerated user's local group membership via the NetUserGetLocalGroups API,
2 Result(s)
Replication Through Removable MediaScreen Capture
Step Procedure Detection
7.A.1Captured and saved screenshots using PowerShell,
1 Result(s)
Multiband Communication
LaunchctlCreate Account
Step Procedure Detection
20.B.3Added a new user to the remote host Scranton (10.0.1.4) using net.exe,
1 Result(s)
HookingControl Panel ItemsKerberoastingProcess Discovery
Step Procedure Detection
4.B.1Enumerated current running processes using PowerShell,
4.C.5Enumerated the current process ID using PowerShell
8.A.3Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell
11.A.8Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell,
13.D.1Enumerated running processes using the CreateToolhelp32Snapshot API
14.B.2Enumerated and tracked PowerShell processes using PowerShell
6 Result(s)
SSH HijackingVideo CaptureMultilayer Encryption
Local Job SchedulingDLL Search Order HijackingImage File Execution Options InjectionDCShadowKeychainQuery Registry
Step Procedure Detection
12.C.1Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell,
12.C.2Enumerated installed software via the Registry (Uninstall key) using PowerShell,
2 Result(s)
Shared WebrootPort Knocking
MshtaDylib HijackingLaunch DaemonDLL Search Order HijackingLLMNR/NBT-NS Poisoning and RelayRemote System Discovery
Step Procedure Detection
8.A.1Enumerated remote systems using LDAP queries,
16.A.1Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries
2 Result(s)
Taint Shared ContentRemote Access Tools
PowerShell
Step Procedure Detection
1.B.2Spawned interactive powershell.exe
4.A.2Spawned interactive powershell.exe
9.B.1Spawned interactive powershell.exe,
11.A.12Executed PowerShell stager payload
20.A.3Executed PowerShell payload from WMI event subscription persistence, ,
5 Result(s)
EmondNew ServiceDLL Side-LoadingNetwork SniffingSecurity Software Discovery
Step Procedure Detection
4.C.7Enumerated anti-virus software using PowerShell
4.C.8Enumerated firewall software using PowerShell
12.B.1Enumerated registered AV products using PowerShell,
3 Result(s)
Third-party SoftwareRemote File Copy
Regsvcs/RegasmExternal Remote ServicesParent PID SpoofingDeobfuscate/Decode Files or Information
Step Procedure Detection
4.A.3Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell
11.A.10Decoded an embedded DLL payload to disk using certutil.exe,
14.B.6Read and decoded Mimikatz output from a WMI class property using PowerShell
3 Result(s)
Password Filter DLLSoftware DiscoveryWeb Session CookieStandard Application Layer Protocol
Step Procedure Detection
3.B.4Used HTTPS to transport C2 (192.168.0.5) traffic
11.A.14Used HTTPS to transport C2 (192.168.0.4) traffic
2 Result(s)
Regsvr32File System Permissions WeaknessPath InterceptionDisabling Security ToolsPrivate Keys
Step Procedure Detection
6.B.1Exported a local certificate to a PFX file using PowerShell,
1 Result(s)
System Information Discovery
Step Procedure Detection
4.C.3Enumerated the computer hostname using PowerShell
4.C.6Enumerated the OS version using PowerShell
11.A.4Enumerated computer manufacturer, model, and version information using PowerShell,
13.A.1Enumerated the computer name using the GetComputerNameEx API,
4 Result(s)
Windows Admin Shares
Step Procedure Detection
8.C.2Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec
1 Result(s)
Standard Cryptographic Protocol
Step Procedure Detection
1.A.4Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
3.B.5Used HTTPS to encrypt C2 (192.168.0.5) traffic
11.A.15Used HTTPS to encrypt C2 (192.168.0.4) traffic
3 Result(s)
Rundll32
Step Procedure Detection
20.A.1Executed Run key persistence payload on user login using RunDll32,
1 Result(s)
Hidden Files and DirectoriesPlist ModificationExecution GuardrailsSecurityd MemorySystem Network Configuration Discovery
Step Procedure Detection
4.C.4Enumerated the current domain name using PowerShell
11.A.7Checked that the computer is joined to a domain using PowerShell,
13.B.1Enumerated the domain name using the NetWkstaGetInfo API
3 Result(s)
Windows Remote Management
Step Procedure Detection
8.A.2Established WinRM connection to remote host Scranton (10.0.1.4)
16.C.1Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
20.B.2Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials,
3 Result(s)
Standard Non-Application Layer Protocol
Scheduled TaskHookingPort MonitorsExploitation for Defense EvasionSteal Application Access TokenSystem Network Connections DiscoveryUncommonly Used Port
Step Procedure Detection
1.A.3Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234,
1 Result(s)
ScriptingHypervisorPowerShell ProfileExtra Window Memory InjectionSteal Web Session CookieSystem Owner/User Discovery
Step Procedure Detection
4.C.2Enumerated the current username using PowerShell
11.A.6Checked that the username is not related to admin or a generic value (ex: user) using PowerShell,
13.C.1Enumerated the current username using the GetUserNameEx API
15.A.1Enumerated logged on users using PowerShell
16.B.1Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API,
5 Result(s)
Web Service
Service Execution
Step Procedure Detection
8.C.3Executed python.exe using PSExec
10.A.1Executed persistent service (javamtsup) on system startup
2 Result(s)
Image File Execution Options InjectionProcess InjectionFile Deletion
Step Procedure Detection
4.B.2Deleted rcs.3aka3.doc on disk using SDelete,
4.B.3Deleted Draft.zip on disk using SDelete,
4.B.4Deleted SysinternalsSuite.zip on disk using SDelete,
9.C.1Deleted rar.exe on disk using SDelete,
9.C.2Deleted working.zip (from Desktop) on disk using SDelete,
9.C.3Deleted working.zip (from AppData directory) on disk using SDelete,
9.C.4Deleted SDelete on disk using cmd.exe del command
19.A.1Deleted Mimikatz (m.exe) on disk using SDelete
19.B.1Deleted exfiltrated data on disk using SDelete
19.C.1Deleted staged data on disk using SDelete
10 Result(s)
Two-Factor Authentication InterceptionSystem Service Discovery
Signed Binary Proxy ExecutionImplant Container ImageSID-History InjectionFile System Logical OffsetsSystem Time Discovery
Signed Script Proxy ExecutionKernel Modules and ExtensionsScheduled TaskFile and Directory Permissions ModificationVirtualization/Sandbox Evasion
Step Procedure Detection
11.A.3Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell,
1 Result(s)
SourceLC_LOAD_DYLIB AdditionService Registry Permissions WeaknessGatekeeper Bypass
Space after FilenameLSASS DriverSetuid and SetgidGroup Policy Modification
Third-party SoftwareLaunch AgentStartup ItemsHISTCONTROL
TrapLaunch DaemonSudo CachingHidden Files and Directories
Trusted Developer UtilitiesLaunchctlSudoHidden Users
User Execution
Step Procedure Detection
1.A.1User Pam executed payload rcs.3aka3.doc,
11.A.1User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk, ,
2 Result(s)
Local Job SchedulingValid AccountsHidden Window
Windows Management Instrumentation
Step Procedure Detection
14.B.1Created and executed a WMI class using PowerShell,
1 Result(s)
Login ItemWeb ShellImage File Execution Options Injection
Windows Remote Management
Step Procedure Detection
8.A.2Established WinRM connection to remote host Scranton (10.0.1.4)
16.C.1Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
20.B.2Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials,
3 Result(s)
Logon ScriptsIndicator Blocking
XSL Script ProcessingModify Existing ServiceIndicator Removal from Tools
Netsh Helper DLLIndicator Removal on Host
New Service
Step Procedure Detection
5.A.1Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup,
1 Result(s)
Indirect Command Execution
Office Application StartupInstall Root Certificate
Path InterceptionInstallUtil
Plist ModificationLC_MAIN Hijacking
Port KnockingLaunchctl
Port MonitorsMasquerading
Step Procedure Detection
1.A.2Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)
6.A.3Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool,
2 Result(s)
PowerShell ProfileModify Registry
Step Procedure Detection
3.C.1Modified the Registry to remove artifacts of COM hijacking,
14.A.3Modified the Registry to remove artifacts of COM hijacking using PowerShell
2 Result(s)
Rc.commonMshta
Re-opened ApplicationsNTFS File Attributes
Step Procedure Detection
11.A.2Executed an alternate data stream (ADS) using PowerShell,
1 Result(s)
Redundant AccessNetwork Share Connection Removal
Registry Run Keys / Startup Folder
Step Procedure Detection
5.B.1Created a LNK file (hostui.lnk) in the Startup folder that executes on login, ,
10.B.1Executed LNK payload (hostui.lnk) in Startup Folder on user login
11.A.11Established Registry Run key persistence using PowerShell,
3 Result(s)
Obfuscated Files or Information
Step Procedure Detection
3.A.2Embedded PowerShell payload in monkey.png using steganography, ,
14.B.5Encoded and wrote Mimikatz output to a WMI class property using PowerShell
17.C.2Prepended the GIF file header to a compressed staging file using PowerShell,
3 Result(s)
SIP and Trust Provider HijackingParent PID Spoofing
Scheduled TaskPlist Modification
ScreensaverPort Knocking
Security Support ProviderProcess Doppelgänging
Server Software ComponentProcess Hollowing
Service Registry Permissions WeaknessProcess Injection
Step Procedure Detection
19.A.2Reflectively injected SDelete binary into PowerShell
19.B.2Reflectively injected SDelete binary into PowerShell
19.C.2Reflectively injected SDelete binary into PowerShell
3 Result(s)
Setuid and SetgidRedundant Access
Shortcut ModificationRegsvcs/Regasm
Startup ItemsRegsvr32
System FirmwareRevert Cloud Instance
Systemd ServiceRootkit
Time ProvidersRundll32
TrapSIP and Trust Provider Hijacking
Valid AccountsScripting
Web ShellSigned Binary Proxy Execution
Windows Management Instrumentation Event Subscription
Step Procedure Detection
15.A.2Established WMI event subscription persistence using PowerShell, ,
20.A.2Executed WMI persistence on user login,
2 Result(s)
Signed Script Proxy Execution
Winlogon Helper DLLSoftware Packing
Step Procedure Detection
8.B.2python.exe payload was packed with UPX
1 Result(s)
Space after Filename
Template Injection
Timestomp
Step Procedure Detection
12.A.2Modified the time attributes of the kxwn.lock persistence payload using PowerShell, ,
1 Result(s)
Trusted Developer Utilities
Unused/Unsupported Cloud Regions
Valid Accounts
Step Procedure Detection
8.C.1Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam
16.C.2Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott 
2 Result(s)
Virtualization/Sandbox Evasion
Web Service
Step Procedure Detection
18.A.1Mapped a network drive to an online OneDrive account using PowerShell,
1 Result(s)
Web Session Cookie
XSL Script Processing