Home  >  APT29  >  Results  >  VMware Carbon Black  >  All Results

VMware Carbon Black: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (blue indicator) was generated for rcs.3aka3.doc being tagged as suspicious. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Suspect Malware from executing. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for the execution of the malicious document rcs.3aka3.doc file. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Telemetry
Telemetry showed that the file was a .scr binary, and that the filename included the unicode character for RTLO. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
MSSP (Delayed (Manual))
An MSSP detection was generated for rcs.3aka3.doc connecting to 192.168.0.5. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 over TCP port 1234. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office Documents making network connections. [1] [2]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
MSSP (Delayed (Manual))
An MSSP detection was generated for cmd.exe spawning from rcs.3aka3.doc. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
General (Alert, Correlated)
A General alert detection (red indicator) was generated for "AMSI - Abnormal Fileless command-line length being executed." The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection was generated for cmd.exe spawning powershell.exe. [1]
Telemetry (Correlated)
Telemetry showing powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Office documents or untrusted applications spawning command interpreters. [1] [2]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection was generated for the use of ChildItem. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection was generated for the use of ChildItem. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "Data Compressed via Command Interpreter for Staging" was generated for a file modification with the .zip extension. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
Telemetry (Correlated)
Telemetry showed powershell.exe compressing via Compress-Archive. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
An MSSP detection was generated referencing the creation of Draft.zip for later exfiltration. [1]
Telemetry (Correlated)
Telemetry showed file creation of Draft.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
General (Alert, Correlated)
A General alert detection was generated for the execution of the PowerShell executing a fileless script or command. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
MSSP (Delayed (Manual))
An MSSP detection was generated for the Registry Modification of the command subkey. [1]
Telemetry (Correlated)
Telemetry showed the Registry modifications of the DelegateExecute ​Registry value. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2] [3]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Tactic (Alert)
A Tactic alert detection was generated for "Privilege Escalation" based on suspicious PowerShell behavior. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for the use of sdclt.exe as a high privilege process, which called control.exe. [1]
Telemetry (Correlated)
Telemetry showed control.exe creating a high integrity powershell.exe. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP port 443. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell making network connections. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though data showed powershell.exe loading of HTTP and cryptographic libraries. [1] [2]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed powershell.exe loading of HTTP and cryptographic libraries. [1] [2]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) was generated for "Sysinternals Tools Downloaded via Command Interpreter." The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking Powershell or untrusted applications spawning command interpreters. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
General (Alert)
A General alert detection (yellow indicator) for powershell.exe fileless script or command was generated for "code_drop" and "detected_pup_app". [1]
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive as well as the subsequent file writes. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting rcs.3aka3.doc. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting Draft.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Draft.Zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "File Deletion - sdelete execution" was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting SysinternalsSuite.zip. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for the of SysinternalsSuite.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments and subsequently writing to and deleting the file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though data showed that the Netapi32.dll was loaded into powershell.exe and the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None (Delayed (Manual), Host Interrogation)
No detection capability demonstrated for this procedure, though data showed that the Netapi32.dll was loaded into powershell.exe and the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though data showed that the Netapi32.dll was loaded into powershell.exe and the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though data showed that the Netapi32.dll was loaded into powershell.exe and the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though a manual query for the showed the new service and the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert, Correlated)
A Technique alert detection called "Persistence - PowerShell Startup Folder" was generated due to hostui.lnk being written to the Startup folder. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
Telemetry (Correlated)
Telemetry showed the file write of hostui.lnk in the Startup folder. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure, though data showed a file write of the passwordsdb output. The vendor states that this activity would have been blocked. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
MSSP (Delayed (Manual))
An MSSP detection was generated for the execution of accesschk.exe to dump passwords. [1]
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
General (Alert)
A General alert detection (red indicator) was generated for a "PUP or Potentially Unwanted Program (PUP: ChromePassRecovery)". [1]
Telemetry
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
General (Alert, Correlated)
A General alert detection (red indicator) was generated for "PFX Extraction via PowerShell" on filemod of the $RandomFileName.pfx file. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for a file create event of $RandomFileName.pfx file by powershell.exe. [1]
Telemetry (Correlated)
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Telemetry (Correlated)
Telemetry showed powershell.exe opening a handle to a lsass.exe thread. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "Screen Capture using Powershell" was generated for a powershell.exe modload for gdiplus.dll. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence of PowerShell capturing screenshots. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "AMSI - Clipboard Monitoring" was generated for fileless_scriptload of Get-Clipboard. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell capturing clipboard data. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Clipboard. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of key logging. [1] [2]
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetAsyncKeyState API. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Telemetry (Correlated)
Telemetry showed the file creation event for OfficeSupplies.7z. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the script containing the variables in scope was manually recovered from the AMSI execution log locally on the sensor, so it is identified as Host Interrogation. [1] [2]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Correlated)
Telemetry showed PowerShell creating OfficeSupplies.7z on a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over TCP port 389. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Technique (Alert)
A Technique alert detection (red indicator) was generated for "Powershell or WinRM remoting activity" based on wsmprovhost.exe. [1]
Tactic (Alert, Correlated)
A Tactic alert detection called "Remote powershell activity" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
Tactic (Correlated, Alert)
A Tactic alert detection called "Remote Services" was generated for the use of powershell.exe with a destination port 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
General (Alert)
A General alert detection (red indicator) was generated for suspicious fileless execution not originating from PowerShell. [1]
Telemetry (Correlated)
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port TCP 5985. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for Powershell or WinRM remoting activity. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the filemod event for the creation of python.exe on the remote host Scranton (10.0.1.4). Telemetry also showed the file write from the local host. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1] [2]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
None
No detection capability demonstrated for this procedure.
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though the analyst was able to query to get a list of users logged on to remote host Scranton (10.0.1.4). [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Telemetry (Correlated)
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. The detection was correlated to a parent alert identifying rcs.3aka3.doc as suspicious. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection (red indicator) called "T1035 & T1077 - Service Execution - psexec - target" was generated due to a process running remotely with PsExec. [1]
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the file create event for rar.exe by python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry (Correlated)
Telemetry showed the file create event for sdelete64.exe by python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
General (Alert, Correlated)
A General alert detection (red indicator) was generated for the execution of a abnormal fileless command-line length. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
Telemetry (Correlated)
Telemetry showed python.exe executing powershell.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Telemetry (Correlated)
Telemetry showed powershell.exe executing ChildItem. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed a filemod event for powershell.exe creating working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection (red indicator) called "Data Compressed via Command Interpreter for Staging" was generated due to powershell.exe executing rar.exe creating a filemod event for working.zip. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
General (Alert, Correlated)
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called File Deletion was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
Technique (Correlated, Alert)
A Technique alert detection (red indicator) for secure delete of sensitive data was generated due to Sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
General (Alert, Correlated)
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
General (Alert, Correlated)
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
General (Alert, Correlated)
A General alert detection (red indicator) for potential malware was generated for cmd.exe running multiple commands on behalf of python.exe. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1] [2]
Telemetry (Correlated)
Telemetry showed cmd.exe deleting sdelete64.exe and filemod(delete) event. The detection was correlated to a parent alert on psexesvc.exe for service execution. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
Telemetry
Telemetry showed rundll32.exe with a parent process of javamtsup.exe (identified as being spawned from services.exe). [1]
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure, though data showed svchost.exe interacting with powershell.exe via OpenProcess. [1]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure.
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (red indicator) was generated for the execution of powershell.exe from explorer.exe. [1]
Telemetry
Telemetry showed explorer.exe spawning powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
General (Alert)
A General alert detection (red indicator) was generated for the use of PowerShell executing with Invoke-Expression. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1] [2]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. [1]
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1] [2]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. [1]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. [1]
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
Telemetry
Telemetry showed PowerShell executing Get-Item for the current path. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (red indicator) for "Deobfuscate/Decode Files or Information - certuil" was generated for the use of certutil.exe decoding a payload. [1]
Technique (Alert)
A Technique alert detection (red indicator) for "Deobfuscate/Decode Files or Information" was generated for the use of certutil.exe decoding a payload. [1]
General (Alert)
A General alert detection (red indicator) was generated for a executable file found in memory. [1]
MSSP (Delayed (Manual))
An MSSP detection for was received that described the adversary executing certutil.exe to decode a base64 blob into the payload kxwn.lock. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1] [2]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (red indicator) for Registry Run Keys was generated based on powershell.exe modifying the Run key. [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry. [1]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (red indicator) was generated for PowerShell executing hidden, encoded commands. [1]
Technique (Alert)
A Technique alert detection (red indicator) was generated for powershell.exe executing encoded instructions. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
General (Alert)
A General alert detection (red indicator) was generated for .NET attempting to make suspicious network connections. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over TCP port 443. According to the vendor, the VMware Carbon Black Cloud could be configured to prevent this activity by implementing rules blocking powershell making network connections. [1]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed powershell.exe loading cryptographic libraries. [1]
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed PowerShell enumeration of System32. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell modifying filesystem access and write times of the kxwn.lock file. [1]
Telemetry (Correlated)
Telemetry showed script block with commands to timestomp kxwn.lock as well as the execution of the timestomp function against the kxwn.lock file. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Telemetry (Correlated)
Telemetry showed PowerShell gwmi query for AntiVirusProduct. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell querying the registry. [1]
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell querying the registry. [1]
Telemetry (Correlated)
Telemetry showed script block with registry query for installed software. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetComputerNameEx API. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
Telemetry (Correlated)
Telemetry showed PowerShell calling the NetWkstaGetInfo API. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed PowerShell calling the GetUserNameEx API. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
Telemetry (Correlated)
Telemetry showed PowerShell calling the CreateToolhelp32Snapshot API. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the addition of the DelegateExecute Registry value. [1]
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry value. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2] [3]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert)
A Technique alert detection was generated for bypassing UAC with sdclt.exe. [1] [2] [3]
Tactic (Alert)
A Tactic alert detection was generated for supicious privilege escalation process behavior by PowerShell. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell elevating privileges via a UAC bypass using sdclt.exe and control.exe. [1]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the deletion of the DelegateExecute Registry value. [1]
Telemetry (Correlated)
Telemetry showed the deletion of the Registry value. The detection was correlated to a parent alert for the execution of powershell.exe from explorer.exe. [1] [2]
14.B.1
Created and executed a WMI class using PowerShell WMI Process (WmiPrvSE.exe) executing powershell.exe