Home  >  APT3  >  Results  >  CrowdStrike  >  All Results

CrowdStrike: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix Legacy JSON JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures
Technique
Detection Type Detection Notes
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious. [1]
Telemetry
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1]
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Rundll32
(T1085)
Specific Behavior
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion). [1] [2]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Scripting
(T1064)
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry showed pdfhelper.cmd being executed by cmd.exe. [1] [2]
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder. [1]
1.C.1
Cobalt Strike: C2 channel established using port 53
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically). [1]
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Specific Behavior
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration). [1] [2] [3]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3]
Telemetry
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Data Encoding
(T1132)
Telemetry (Tainted)
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert. [1]
2.A.1
Cobalt Strike: 'ipconfig -all' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious. [1] [2] [3]
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted. [1] [2] [3]
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner/User Discovery
(T1033)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted. [1] [2] [3]
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist -v' via cmd
Process Discovery
(T1057)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted. [1] [2] [3]
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted. [1] [2] [3]
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2]
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted. [1] [2] [3] [4]
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3]
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4]
2.F.2
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3]
2.F.3
Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4]
2.G.1
Cobalt Strike: 'net user -domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted. [1] [2]
2.G.2
Cobalt Strike: 'net user george -domain' via cmd
Account Discovery
(T1087)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3]
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted. [1] [2] [3]
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Bypass User Account Control
(T1088)
Telemetry
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC. [1]
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure.
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections. [1] [2]
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry associated with the alert would show thread creation in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2]
4.A.1
Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Delayed)
OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4]
4.A.2
Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team identified net group as suspicious with a General Behavior alert. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4]
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious. OverWatch is the managed threat hunting service. [1] [2]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious. OverWatch is the managed threat hunting service. [1] [2]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1]
General Behavior (Delayed, Tainted)
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection. OverWatch is the managed threat hunting service. [1]
Telemetry
Telemetry showing the lsass handle open and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1]
Cobalt Strike: Credential dump capability involved process injection into lsass
Process Injection
(T1055)
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected). [1]
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Tainted)
A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2]
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry for the lsass remote thread and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2]
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Process Injection
(T1055)
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode). [1]
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process. [1]
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process. OverWatch is the managed threat hunting service. [1] [2]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process. [1] [2]
6.B.1
Cobalt Strike: C2 channel modified to use port 80
Commonly Used Port
(T1043)
Telemetry
Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server). [1]
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically).
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Multiband Communication
(T1026)
Telemetry (Tainted)
Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert. [1] [2]
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389. [1] [2] [3]
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
Telemetry showed the creation of the user Jesse and the user being added to the domain admin group. [1] [2] [3]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Graphical User Interface
(T1061)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Account Discovery
(T1087)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1]
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent \"unexpected process\" alert. [1] [2]
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3]
Telemetry
Telemetry showed the creation of the scheduled task. [1] [2] [3]
8.A.1
Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection. [1] [2]
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection. [1] [2] [3] [4]
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically). [1]
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically). [1]
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Process Injection
(T1055)
Telemetry
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon. [1]
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure.
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed cmd.exe running autoupdate.bat from the Startup folder. [1]
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert. [1]
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Valid Accounts
(T1078)
Telemetry
Telemetry showed a type 10 (interactive) UserLogon event for Jesse. [1]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user. [1] [2] [3]
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits." [1] [2] [3]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
General Behavior (Delayed)
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3]
Telemetry
Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
11.B.1
Empire: C2 channel established using port 443
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed powershell.exe making connection to 192.168.0.5 (C2 server) over port 443. The telemetry was tainted by an alert on its parent powershell.exe process. [1]
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1]
Empire: Encrypted C2 channel established using HTTPS
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1]
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection. [1] [2]
12.A.2
Empire: 'ipconfig -all' via PowerShell
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection. [1] [2]
12.B.1
Empire: 'whoami -all -fo list' via PowerShell
System Owner/User Discovery
(T1033)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection. [1] [2]
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Specific Behavior (Delayed)
The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious. OverWatch is the managed threat hunting service. [1] [2] [3]
Telemetry
Telemetry showed the PowerShell script (.ps1) being written to the temp folder. [1] [2] [3]
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command and OverWatch alerted on it as suspicious. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability. [1] [2] [3]
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1]
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1]
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1]
12.F.1
Empire: 'net group "Domain Admins" -domain' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3]
12.F.2
Empire: 'net�localgroup�administrators' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2]
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2]
12.G.2
Empire: 'net user -domain' via PowerShell
Account Discovery
(T1087)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2]
13.A.1
Empire: 'net group "Domain Computers" -domain' via PowerShell
Remote System Discovery
(T1018)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3]
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2]
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1] [2]
13.C.1
Empire:�'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry
Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script. [1] [2] [3]
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Remote File Copy
(T1105)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because PowerShell retrieved the file wdbypass from www.freegoogleadsenseinfo.com (C2 domain) over port 8080. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2]