Home  >  APT29  >  Results  >  Trend Micro  >  All Results

Trend Micro: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (suspicious severity) was generated for rcs.3aka3.doc being a suspicious process. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for user Pam executing rcs.3aka3.doc. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Configuration Change (Detections))
A Technique detection called "RTLO.Masquerading T1036" was generated when an executable ran containing a RTLO character. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry
Telemetry showed the original filename​ cod.3aka.scr, which became rcs.3aka.doc. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
MSSP (Delayed (Manual))
An MSSP detection occurred for rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
MSSP (Delayed (Manual))
An MSSP detection was generated for cmd.exe spawning from rcs.3aka3.doc. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1] [2] [3]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Technique (Configuration Change (Detections))
A Technique detection "PS1.DiscoverCollectLocal T1083" was generated for PowerShell enumerating files and directories using ChildItem recursively. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred showing evidence of PowerShell looking for certain files in a directory. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Technique (Configuration Change (Detections))
A Technique detection "PS1.DiscoverCollectLocal T1119" was generated for PowerShell enumerating files and directories using ChildItem recursively. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred showing evidence of powershell.exe executing ChildItem. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
MSSP (Delayed (Manual))
An MSSP detection occurred showing evidence of powershell.exe compressing via Compress-Archive. [1]
Telemetry
Telemetry showed powershell.exe compressing via Compress-Archive. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell storing files in a zip file. [1]
Telemetry (Correlated)
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Correlated)
Telemetry showed file accessed event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Telemetry
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Technique (Configuration Change (Detections))
A Technique detection "Noteworthy Behavior T1122" was generated due to the addition of the DelegateExecute Registry Value. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry
Telemetry showed the addition of the DelegateExecute Registry Value. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Telemetry (Correlated)
Telemetry showed the PowerShell callback spawning from control.exe. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1] [2]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Technique (Correlated)
A Technique detection called "Commonly Used Port" was generated due to powershell.exe connecting to 192.168.0.5 on TCP 443. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe connecting to 192.168.0.5 on TCP 443. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on port 443. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
Technique
A Technique detection called "Standard Application Layer Protocol" was generated due to the PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
Technique
A Technique detection called "Standard Application Layer Protocol" was generated due to the PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
A MSSP detection occurred for the deletion of the the command subkey. [1]
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the file write of the ZIP by PowerShell. [1]
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive. [1]
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection called "Process Discovery" (low severity) was generated due to powershell.exe executing Get-Process. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Get-Process. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "File Deletion" (medium severity) was generated due to sdelete64.exe deleting rcs.3aka3.doc. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting rcs.3aka3.doc. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1] [2]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "File Deletion" (medium severity) was generated due to sdelete64.exe deleting Draft.zip. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.Zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "File Deletion" (medium severity) was generated due to sdelete64.exe deleting SysinternalsSuite.zip. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with commTelemetry showed sdelete.exe running with command-line arguments to delete the file. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. Details showing a PowerShell command containing $env:TEMP were verified. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. Details showing a PowerShell command containing $env:USERNAME were verified. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry
Telemetry showed powershell.exe executing: Gwmi Win32_OperatingSystem. [1]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry
Telemetry showed powershell.exe executing:​ Get-WmiObject ...​ -Class AntiVirusProduct. [1]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry
Telemetry showed powershell.exe executing: Get-WmiObject ...​​ -Class FireWallProduct. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
Telemetry
Telemetry showed PowerShell executing NetUserGetGroups API. [1]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
Telemetry
Telemetry showed PowerShell executing NetUserGetLocalGroups API. [1]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell making a new service named javamtsup. [1]
Telemetry
Telemetry showed a Registry event and service creation of javamtsup. [1]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (medium severity) called "Registry Run Keys / Startup Folder" was generated due to PowerShell creating the hostui.lnk file. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell dropping the hostui.lnk file. [1]
Telemetry
Telemetry showed the file write of hostui.lnk in the Startup folder. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
MSSP (Delayed (Manual))
An MSSP detection occurred for accesschk.exe reading the Chrome database file for credentials. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
General (Alert, Correlated)
A General alert detection (suspicious severity) called "Low global prevalence without signer" was generated for accesscheck.exe, indicating it is not the legitimate Sysinternals tool. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for accesschk.exe not being the legitimate Sysinternals tool due to a low census prevalence and the binary was unsigned. [1]
Telemetry (Correlated)
Telemetry showed that accesschk.exe received a reputation report that indicated it was known to be an untrusted file with the maximum suspicion rating, which indicates it is not a legitimate Sysinternals tool. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) called "Private Keys" was generated due to Export-PfxCertificate. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the function Get-Private keys used to create $RandomFileName.pfx. [1]
Telemetry (Correlated)
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Alert)
A Technique alert detection (red 'x' indicator; high severity) called "Credential Dumping (lsass read)" was generated due to powershell.exe calling ReadProcessMemory on lsass.exe. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection identified PowerShell injecting into the LSASS process. This activity was labeled as Credential Dumping. [1]
Telemetry
Telemetry showed powershell.exe calling ReadProcessMemory on lsass.exe. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique
A Technique detection "PS1.ScreenCapture T1113" was generated due to CopyFromScreen API execution. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique
A Technique detection mapped to "T1115"(Clipboard Data) was generated due to powershell.exe executing Get-Clipboard. [1] [2]
Telemetry
Telemetry showed powershell.exe executing Get-Clipboard. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Technique
A Technique detection mapped to "T1056" (Input Capture) was generated due to powershell.exe executing GetAsyncKeyState. [1] [2]
Telemetry
Telemetry showed PowerShell calling the GetAsyncKeyState API. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe accessing files from C:\Users\pam\Downloads. [1]
Telemetry
Telemetry showed Powershell.exe accessing files from C:\Users\pam\Downloads. [1]
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the OfficeSupplies.7z file create. [1]
Telemetry
Telemetry showed the file create event for OfficeSupplies.7z. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence that the 7z file was password protected. [1]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
General (Alert)
A General alert detection for "Suspicious Behavior" (low severity) was generated due to OfficeSupplies.7z being copied to remote WebDav network share (192.168.0.4:80). [1]
Telemetry
Telemetry showed PoweShell Copy-Item to remote a remote adversary WebDav network share (192.168.0.4). Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
General
A General detection for "Suspicious Behavior" was generated due to LDAP queries to NewYork (10.0.0.4) over port 389. [1]
Telemetry
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Alert)
A Technique alert detection (low severity) called "Powershell Remote Command Execution Via WinRM" was generated due to a connection to remote host Scranton (10.0.1.4) over port 5985. [1]
Telemetry
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Configuration Change (Detections), Alert)
A Technique alert detection (low severity) called "Process Discovery" was generated due to powershell.exe executing Get-Process. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
General (Alert, Correlated)
A General alert detection (suspicious severity) was generated for the file write event of python.exe. The detection was correlated to a parent alert for a suspicious process on rcs.3aka3.doc. [1]
General
A General detection was generated for python.exe being a potential virus or malware. [1]
Telemetry
Telemetry showed the file write event of python.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload. [1]
Telemetry
Telemetry showed python.exe is packed. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Technique
A Technique detection called "ATT&CK T1078 Windows Logon Success" was generated due to a valid logon on Scranton (10.0.1.4) as user Pam. [1] [2]
Telemetry
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert)
A Technique alert detection (medium severity) called "Executable file dropped in administrative share" was generated due PSEXESVC.exe being copied to Scranton. [1]
Telemetry
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection (high severity) for "Service Execution" was generated due to PSEXESVC.exe executing python.exe. [1]
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe. [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed a file create event for python.exe creating rar.exe. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed File Create event for python.exe creating sdelete64.exe. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed python.exe executing powershell.exe​. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Technique (Configuration Change (Detections))
A Technique detection "PS1.DiscoverCollectLocal T1083" was generated for PowerShell enumerating files and directories using ChildItem recursively. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell looking for certain files in a directory. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem​. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Technique (Configuration Change (Detections))
A Technique detection "PS1.DiscoverCollectLocal T1119" was generated for PowerShell enumerating files and directories using ChildItem recursively. The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell looking for certain files in a directory. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem​. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
Telemetry
Telemetry showed file accesses of C:\Users\Pam\*. [1]
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell creating working.zip. [1]
Telemetry (Correlated)
Telemetry showed a File Created event for powershell.exe creating working.zip. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
A MSSP detection occurred for rar.exe executing with command line arguments. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
MSSP (Delayed (Manual))
A MSSP detection occurred for Data Compressed generated due to powershell.exe executing rar.exe with command-line arguments indicative of compression. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe. The detection was correlated to a parent alert for service execution on python.exe. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Correlated)
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over port 8443). The detection was correlated to a parent alert for service execution on python.exe. [1] [2]
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
General (Alert)
A General alert detection for "SysInternal Tools License Suppression" (low severity) was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of rar.exe. [1]
Telemetry
Telemetry showed sdelete64.exe deleting rar.exe. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
General (Alert)
A General alert detection for "SysInternal Tools License Suppression" (low severity) was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of Desktop\working.zip. [1]
Telemetry
Telemetry showed sdelete64.exe deleting Desktop\working.zip. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection for "Possible SDELETE" (medium severity) was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection occurred for the file deletion of Roaming\working.zip. [1]
Telemetry
Telemetry showed sdelete64.exe deleting Roaming\working.zip. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure.
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
MSSP (Delayed (Manual))
An MSSP detection occurred for services.exe accessing javamtsup.exe. [1]
Telemetry
Telemetry showed javamtsup.exe with parent process services.exe. [1]
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
MSSP (Delayed (Manual))
An MSSP detection occurred for hostui.lnk executing from Startup Folder. [1]
Telemetry
Telemetry showed hostui.lnk executing from the Startup Folder. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
Technique
A Technique detection "Noteworthy Behavior T1134" was generated for token manipulation with the low level ZwDuplicateToken (NtDuplicateToken) API, which is invoked by the CreateProcessWithToken API. [1]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique
A Technique detection "Noteworthy Behavior T1134" was generated for token manipulation with the low level ZwDuplicateToken (NtDuplicateToken) API, which is invoked by the CreateProcessWithToken API. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence user Oscar executed 37486-the-shockingtruth-about-election-rigging-in-america.rtf.lnk. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
Technique (Alert)
A Technique alert detection (medium severity) called "NTFS File Attributes" was generated due to PowerShell executing the schemas ADS. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell accessing Alternative Data Streams (ADS) and executing its content. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_BIOS. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. [1]
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_BIOS and Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_PnPEntity. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. [1]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_ComputerSystem. [1]
Telemetry
Telemetry showed powershell.exe gwmi query for Win32_ComputerSystem. [1]
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing Win32_Process. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. [1]
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
Technique (Configuration Change (Detections))
A Technique detection for "ADS.Discover T1083" was generated for PowerShell executing Get-Item from an Alternate Data Stream (ADS). The logic used to produce this detection was configured after the start of the evaluation, so it is identified as a Detection Configuration Change. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
General (Alert)
A General alert detection (high severity) called "Certutil Execution (Suspicious use)" was generated identifying suspicious use of certutil.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for certutil.exe being used to decode the payload. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (medium severity) called "Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell creating persistence by modifying the Registry which launches at startup. [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
MSSP (Delayed (Manual))
An MSSP detection occurred for PowerShell executing IEX. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Technique
A Technique detection called "Commonly Used Port" was generated due for powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the network connection over port 443. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. [1]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
Technique
A Technique detection called "Standard Application Layer Protocol" was generated due to PowerShell making network connection to C2 (192.168.0.4) over HTTPS. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the network connection over HTTPS. [1]
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
Technique
A Technique detection called "Standard Cryptographic Protocol" was generated due to PowerShell making network connection to C2 (192.168.0.4) over HTTPS. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for the network connection over HTTPS. [1]
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed the PowerShell performing numerous file reads in the System32 directory. The detection was correlated to a parent alert for PowerShell executing an ADS. [1]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
Technique
A Technique detection called "Timestomping" was generated due to time modification of kxwn.lock. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for evidence of file timestamp manipulation. [1]
Telemetry
Telemetry showed script block with commands to timestomp kxwn.lock. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell enumerating registered AV products. [1]
Telemetry
Telemetry showed PowerShell gwmi query for AntiVirusProduct. [1]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence PowerShell checked for installed software by querying the registry.