Home  >  APT29  >  Results  >  SentinelOne  >  All Results

SentinelOne: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
Tactic (Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated for explorer.exe executing rcs.3aka3.doc. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of explorer.exe executing rcs.3aka3.doc. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection called "Masquerading" was generated for "SuspiciousCharInPath" observed on rcs.3aka.doc. [1]
MSSP (Delayed (Manual))
An MSSP detection for the RTLO character in cod.3aka3.scr was used to masquerade as rcs.3aka.doc. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
Technique (Alert)
A Technique alert detection for "T1065 - Uncommonly Used Port" was generated for rcs.3aka3.doc due to TCP port 1234 being used. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for rcs.3aka3.doc connecting to 192.168.0.5 on port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1] [2]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Tactic (Correlated, Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated for rcs.3aka3.doc​ spawning cmd.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for “T1059” contained evidence of cmd.exe spawning from rcs.3aka3.doc​. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​.The detection was correlated to a parent grouping of malicious activity. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Tactic (Correlated, Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated for powershell.exe spawning from cmd.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for “T1086” contained evidence of powershell.exe spawning from cmd.exe. [1] [2]
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent grouping of malicious activity. [1]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Technique (Correlated, Alert)
A Technique alert detection for "File Enumeration" under "Discovery {T1083}" was generated when powershell.exe executed Get-ChildItem. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Enumeration" occurred containing evidence of PowerShell searching the filesystem. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent grouping of malicious activity. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Technique (Correlated, Delayed (Processing), Alert)
A Technique alert detection for "Automated Collection" was generated on powershell.exe executing Get-ChildItem after a short delay. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "InteractivePSCommand" contained evidence of powershell.exe executing ChildItem. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent grouping of malicious activity. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "Data from Local System {T1005}" was generated on powershell.exe executing Get-ChildItem and reading C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to Get-ChildItem to align usage with Data from Local System (T1005). [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "PowerShell is seen enumerating the system and searching for files" contained evidence of file reads to C:/Users/Pam/*. [1]
Telemetry (Correlated, Configuration Change (Detections))
Telemetry showed powershell.exe reading files from C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to Get-ChildItem to align usage with Data from Local System (T1005). [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Correlated, Alert)
A Technique alert detection for "Data Compressed. MITRE Exfiltration {T1002}" was generated on powershell.exe compressing via Compress-Archive. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe compressing via Compress-Archive. [1] [2] [3]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed powershell.exe compressing via Compress-Archive. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1] [2]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
An MSSP detection for the file creation of Draft.zip was received. The alert stated that "C:\Users\pam\AppData\Roaming\Draft.zip" file was created. [1]
Telemetry (Correlated)
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent grouping of malicious activity. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
MSSP (Delayed (Manual))
An MSSP detection for "T1041" containing evidence of a cod.3aka3.scr reading Draft.zip and a network connection to C2 (192.168.0.5). [1]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring host file reads into the UI. [1] [2]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection for "T1105" occurred containing evidence of rcs.3aka3.doc creating monkey.png. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating new file monkey.png. The detection was correlated to a parent grouping of malicious activity. [1] [2] [3]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "Steganography" was generated when identifying the PowerShell script contained within monkey.png. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to detect common extensions without the appropriate file type content in the file. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1027" occurred containing evidence of the PowerShell script contained within monkey.png. [1]
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent grouping of malicious activity. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
MSSP (Delayed (Manual))
An MSSP detection for "T1122" occurred containing evidence of DelegateExecute subkey being added to the Registry. [1]
Telemetry (Correlated)
Telemetry showed addition of the DelegateExecute Registry Value. The detection was correlated to a parent grouping of malicious activity. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Correlated, Alert)
A Technique alert detection for "TokenManipulation" was generated when user Pam targeted user "NT AUTHORITY\SYSTEM" in conjunction with "setcbprivilege" usage. The detection was correlated to a parent grouping of malicious activity. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection for "T1088" occurred containing evidence of new high integrity PowerShell callback spawning from control.exe​​ (spawned from sdclt.exe). [1] [2]
Telemetry (Correlated)
Telemetry showed a new high integrity PowerShell callback spawning from control.exe​​ (spawned from sdclt.exe). The detection was correlated to a parent grouping of malicious activity. [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
MSSP (Delayed (Manual))
An MSSP detection for "T1043" occurred containing evidence of powershell.exe connecting to 192.168.0.5 on TCP 443. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting outbound to 192.168.0.5 on TCP 443. The detection was correlated to a parent grouping of malicious activity. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
MSSP (Delayed (Manual))
An MSSP detection for "T1071" occurred containing evidence of PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
Telemetry (Correlated)
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. The detection was correlated to a parent grouping of malicious activity. [1]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
MSSP (Delayed (Manual))
An MSSP detection for "T1032" occurred containing evidence of the PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
Telemetry (Correlated)
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. The detection was correlated to a parent grouping of malicious activity. [1]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
An MSSP detection for "T1112" occurred containing evidence of command subkey being removed from the Registry. [1]
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent grouping of malicious activity. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection for "T1105" occurred containing evidence of the file write of the ZIP by PowerShell. [1]
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent grouping of malicious activity. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Tactic (Correlated, Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated for powershell.exe executing powershell.exe. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1086" occurred containing evidence of a new interactive session of PowerShell being created. [1]
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent grouping of malicious activity. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
MSSP (Delayed (Manual))
An MSSP detection for "T1140" occurred containing evidence of the extracted root folder being created, and the contents extracted. [1]
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The detection was correlated to a parent grouping of malicious activity. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Correlated, Alert)
A Technique alert detection for "ProcessEnumeration" under "Discovery {T1057}" was generated for PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1057" occurred containing evidence of PowerShell listing current process via “Get-Process”. [1]
Telemetry (Configuration Change (UX), Correlated)
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring Get-Process usage from host logs into the user interface. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip). [1] [2] [3]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity. [1] [2]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip). [1] [2] [3]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity. [1] [2]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "T1107" occurred containing evidence of Sdelete (Secure Deletion) being used to remove the original *.3aka3.* RAT, Draft.zip, and SysinternalSuite.zip). [1] [2] [3]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent grouping of malicious activity. [1] [2]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection occurred for "basic discovery" containing evidence of $env:TEMP usage. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
An MSSP detection for "basic discovery" containing evidence of $env:USERNAME usage. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection for "basic discovery" containing evidence of $env:COMPUTERNAME usage. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
An MSSP detection for "basic discovery" containing evidence of $env:USERDOMAIN usage. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
Technique (Correlated, Alert)
A Technique alert detection for "ProcessEnumeration" was generated when PowerShell accessed $PID. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "basic discovery" containing evidence of $PID usage. [1]
Telemetry
Telemetry showed powershell.exe executing: $PID. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
Technique (Correlated, Alert)
A Technique alert detection for "Local Environment Information Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing Win32_OperatingSystem. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
A MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing Win32_OperatingSystem. [1]
Telemetry
Telemetry showed powershell.exe executing​ Gwmi Win32_OperatingSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Correlated, Alert)
A Technique alert detection for "Security Software Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing AntiVirusProduct. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing AntiVirusProduct. [1]
Telemetry
Telemetry showed powershell.exe executing:​ Get-WmiObject ...​ -Class AntiVirusProduct. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
Technique (Correlated, Alert)
A Technique alert detection for "Security Software Discovery" specific to WMI was generated when PowerShell executed the suspicious WMI query containing FireWallProduct. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "use of Gwmi" occurred containing evidence of WMI query containing FireWallProduct. [1]
Telemetry
Telemetry showed powershell.exe executing: Get-WmiObject ...​​ -Class FireWallProduct. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique (Correlated, Alert)
A Technique alert detection for "ServiceCreate" under "Persistence {T1084}" was generated due to "javamtsup" being added to the "...\Services" registry path. The detection was correlated to a parent grouping of malicious activity. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell initiating a new persistence service "javamtsup". [1] [2]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Correlated, Alert)
A Technique alert detection for "StartupDirectory" under was generated due to the file write of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1060" occurred containing evidence of PowerShell placing LNK in startup folder, gaining persistence to launch hostui.bat. [1] [2]
Telemetry (Correlated)
Telemetry showed the creation of hostui.lnk in the Startup folder. The detection was correlated to a parent grouping of malicious activity. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
Technique (Correlated, Alert)
A Technique alert detection for "BrowserInfoStealing" under "Collection {T1213}" was generated when accesschk.exe read the Chrome database file for credentials. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1081" occurred containing evidence of accesschk.exe reading the Chrome database file for credentials. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
MSSP (Delayed (Manual))
An MSSP detection for "T1036" occurred containing evidence of accesschk.exe with an MD5 value which was also found publicly and is known to be malicious. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash value provided. This can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent grouping of malicious activity. [1] [2]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Telemetry (Correlated)
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent grouping of malicious activity. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Correlated, Alert)
A Technique alert detection for "SensitiveMemoryAccess" under "Credential Access {T1003}" was generated when PowerShell read sensitive information from LSASS. The detection was correlated to a parent grouping of malicious activity. This activity would have been blocked. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1003" occurred containing evidence of credential dumping as indicated by “Infostealer.” [1]
Telemetry (Correlated)
Telemetry shows a remote process injection into lsass.exe by powershell.exe. The detection was correlated to a parent grouping of malicious activity. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "Screenshot" generated due to CopyFromScreen API execution. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to align CopyFromScreen usage with "Screenshot". [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "T1113" occurred containing evidence of System.Drawing.dll being loaded and Invoke-ScreenCapture called. [1] [2]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "ClipBoardAccess" was generated due to PowerShell executing Get-Clipboard. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to align Get-Clipboard cmdlet usage with "ClipBoardAccess". [1]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed powershell.exe executing Get-Clipboard. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring Get-Clipboard usage from host logs into the user interface. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "SuspiciousKeylogging" was generated due to GetAsyncKeyState execution. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to align GetAsyncKeyState usage with "SuspiciousKeylogging" under "Collection {T1056}". [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1056" occurred containing evidence of GetAsyncKeyState API calls and Get-Keystrokes function call. [1] [2]
Telemetry (Configuration Change (UX), Correlated)
Telemetry showed PowerShell calling the GetAsyncKeyState API. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
Technique (Correlated, Configuration Change (Detections), Alert)
A Technique alert detection for "Data from Local System {T1005}" was generated due to powershell.exe reading files from C:\Users\pam\Downloads. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to align PowerShell process file reads with Data from Local System (T1005) [1]
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though data showing file reads was retrieved from the encrypted cache on the host by an analyst. The script containing the variables in scope was manually recovered from the system by the analyst, so it is identified as Host Interrogation. [1]
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
MSSP (Delayed (Manual))
An MSSP detection for "exfiltrate" occurred containing evidence of OfficeSupplies.7z being created. [1]
Telemetry (Correlated)
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent grouping of malicious activity. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection for "Exfiltrate" occurred containing evidence of Compress-7zip compressing and encrypting the download directory with 7z using the password “lolol." [1]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of exfiltration via WebDav. [1] [2]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed PoweShell Copy-Item to remote a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
MSSP (Delayed (Manual))
An MSSP detection for "T1018" occurred containing evidence of Ad-Search function definition along with LDAP network connection to NewYork (10.0.0.4). [1]
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection identified as LDAP over port 389 to NewYork (10.0.0.4). The detection was correlated to a parent grouping of malicious activity. [1] [2]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Alert)
A Technique alert detection for "WinRMSession" under "Lateral Movement {T1028}" was generated when a connection to remote host Scranton (10.0.1.4) from host Nashua (10.0.1.6) over port 5985 using the wsman protocol was issued. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "T1028" occurred containing evidence of Lateral Movement via WinRM with wsman network connection to host Scranton (10.0.1.4) over port 5985. [1] [2]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection for "ProcessEnumeration" under "Discovery {T1057}" was generated due to Invoke-Command executing Get-Process. [1]
MSSP (Delayed (Manual))
An MSSP detection for "ProcessEnumeration" occurred containing evidence of WinRM alerting on Get-Process. [1]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed PowerShell executing Get-Process. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring Get-Process usage from host logs into the user interface. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Tactic (Correlated, Alert)
A Tactic alert detection for "AdminShareAccess" was generated when python.exe was written from host Nashua (10.0.1.6) to the ADMIN$ share on host Scranton (10.0.1.4), indicating Lateral Movement. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1105" occurred containing evidence of python.exe file creation. [1]
Telemetry
Telemetry showed the file create event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique (Alert)
A Technique alert detection for "UPXProcess" under "Defense Evasion {T1045}" was generated due to python.exe being packed with UPX. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Technique (Alert)
A Technique alert detection "UserLogin" under "Valid Accounts {T1078}" showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Correlated, Alert)
A Technique alert detection for "AdminShareAccess" was generated due to PSEXESVC.exe being copied to $ADMIN on Scranton (10.0.1.4). The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1077" occurred containing evidence of PsExec64.exe establishing SMB session to Scranton's IPC$ share, and writes PSEXESVC.exe. [1] [2]
Telemetry (Correlated)
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135 identified as RPC. [1] [2]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Tactic (Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated due to PSEXESVC.exe executing python.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1035" occurred containing evidence of PsExec executing python.exe. [1]
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe. [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection for "Python spawns PowerShell which then writes rar.exe and sdelete64.exe" occurred containing evidence of file write events for rar.exe and sdelete64.exe. [1]
Telemetry
Telemetry showed a file creation event for python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection for "Python spawns PowerShell which then writes Rar.exe and sdelete64.exe" occurred containing evidence of file write events for rar.exe and sdelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed File Creation event for python.exe creating sdelete64.exe. The detection was correlated to a parent grouping of malicious activity. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
MSSP (Delayed (Manual))
An MSSP detection for "T1086" occurred containing evidence of python.exe executing powershell.exe​. [1]
Telemetry (Correlated)
Telemetry showed python.exe executing powershell.exe​. The detection was correlated to a parent grouping of malicious activity. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Technique (Correlated, Alert)
A Technique alert detection for "File Enumeration" under "Discovery {T1083}" was generated when powershell.exe executed Get-ChildItem. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1083" occurred containing evidence of enumerating directories in search for specific files. The function “ChildItem” is observed. [1]
Telemetry (Configuration Change (UX), Correlated)
Telemetry showed PowerShell executing ChildItem​. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Technique (Correlated, Alert, Configuration Change (UX))
A Technique alert detection called "Automated Collection" was generated when powershell.exe accessed multiple files when using ChildItem. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring host file reads into the UI. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1119" occurred containing evidence of enumerating directories in search for specific files. The function “ChildItem” is observed. [1]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed PowerShell executing ChildItem​. The detection was correlated to a parent grouping of malicious activity. A UX Configuration Change was made to bring PowerShell script block logs into the user interface. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Technique (Configuration Change (Detections), Correlated, Alert)
A Technique alert detection for "OpenedFile" under "Data from Local System {T1005}" was generated when a known malicious powershell.exe read files in C:\Users\Pam\*. The detection was correlated to a parent grouping of malicious activity. A Detection Configuration Change was made to Get-ChildItem to align usage with Data from Local System (T1005). [1] [2]
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
An MSSP detection for "T1074" occurred containing evidence of working.zip creation from file creation events. [1]
Telemetry (Correlated)
Telemetry showed a File Creation event for powershell.exe creating working.zip.The detection was correlated to a parent grouping of malicious activity. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection for "T1022" occurred containing evidence of rar.exe being executed with an encryption password parameter passed. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Correlated, Alert)
A Technique alert detection called "Compression" was generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. The detection was correlated to a parent grouping of malicious activity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1002" occurred containing evidence of powershell.exe executing rar.exe. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent grouping of malicious activity. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
MSSP (Delayed (Manual))
An MSSP detection for "T1041" occurred containing evidence of the C2 instance of Python.exe being observed establishing a network connection to 192.168.0.4 on port 8443 (https). [1] [2]
Telemetry (Correlated, Configuration Change (UX))
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over TCP port 8443). A UX Configuration Change was made to bring host file reads into the UI. [1] [2]
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip. [1]
Telemetry (Correlated)
Telemetry showed a file deletion event for secure file delete deleting rar.exe. The detection was correlated to a parent grouping of malicious activity. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to Desktop\working.zip. The detection was correlated to a parent grouping of malicious activity. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "sdelete" occurred containing evidence of sdelete being run to delete rar.exe, and working.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent grouping of malicious activity. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection for "executing a deletion" occurred containing evidence of cmd.exe being run to delete sdelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed a file deletion event on "Windows Command Processor" deleting sdelete64.exe. The detection was correlated to a parent grouping of malicious activity. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
Tactic (Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated when services.exe executed javamtsup.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1035" occurred containing evidence of javamtsup.exe with parent process services.exe. [1]
Telemetry
Telemetry showed javamtsup.exe with parent process services.exe. [1]
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection for "StartedFromLnk" under "Registry Run Keys / Startup Folder {T1060}" was generated due to hostui.lnk triggering on login from the StartUp Folder. A Detection Configuration Change was made to capture .lnk files triggering on login from the StartUp folder. Aligned usage with "StartedFromLnk" under "Registry Run Keys / Startup Folder {T1060}". [1]
MSSP (Delayed (Manual))
An MSSP detection for "startup persistence" occurred containing evidence of hostui.lnk executing from Startup Folder. [1]
Telemetry
Telemetry showed hostui.lnk executing from the Startup Folder. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique (Correlated, Alert)
A Technique alert detection for "TokenMismatch" under "Privilege Escalation {T1134}" was generated when the parent process's, hostui.exe, token did not match the child token process's, powershell.exe, token. The detection was correlated to a parent grouping of malicious activity. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Tactic (Alert)
A Tactic alert detection called "ProcessCreationExtra" was generated when explorer.exe executed powershell.exe. [1]
General (Alert)
A General alert detection was generated for a suspicious powershell.exe process spawning. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1204" occurred containing evidence of powershell.exe execution targeting .lnk payload. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
MSSP (Delayed (Manual))
An MSSP detection for "T1096" occurred containing evidence of powershell.exe executing schemas ADS via Get-Content and IEX. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Tactic (Alert)
A Tactic alert detection for "Discovery" under "SuspiciousWMIQuery" was generated on a suspicious WMI query targeting Win32_BIOS. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1497" occurred containing evidence of WMI query targeting Win32_BIOS. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Tactic (Alert)
A Tactic alert detection for "Discovery" was generated on a suspicious WMI query targeting Win32_BIOS and Win32_ComputerSystem. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "T1082" occurred containing evidence of WMI query targeting Win32_BIOS and Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
Technique (Alert)
A Technique alert detection for "SuspiciousWMIQuery" under "{T1120}" (Peripheral Device Discovery) was generated due to a suspicious WMI query for Win32_PnPEntity. [1]
MSSP (Delayed (Manual))
An MSSP detection for "T1120" occurred containing evidence of WMI query targeting Win32_PnPEntity. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Tactic (Alert)
A Tactic alert detection for "Discovery" was generated on a suspicious WMI query targeting Win32_ComputerSystem. [1]
MSSP (Delayed (Manual))