Home  >  APT3  >  Results  >  Endgame  >  All Results
Endgame
Tags:    

Endgame: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration         JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior
A General Behavior alert was generated for Malicious File Detection on the execution of Resume Viewer.exe. [1] [2]
Telemetry (Tainted)
Telemetry showed events surrounding the Resume Viewer.exe event to indicate execution (tainted by a parent Malicious File Detection). [1] [2]
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Rundll32
(T1085)
Specific Behavior (Tainted)
A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Scripting
(T1064)
Telemetry (Tainted)
Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5] [6] [7]
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Specific Behavior (Tainted)
A Specific Behavior alert called "Detected Persistence - Start Folder Persistence" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
1.C.1
Cobalt Strike: C2 channel established using port 53
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3] [4] [5] [6] [7] [8]
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
Telemetry in the event tree view showed DNS requests spawning from rundll32.exe to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5]
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Data Encoding
(T1132)
None
No detection capability demonstrated for this procedure.
2.A.1
Cobalt Strike: 'ipconfig -all' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8]
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
2.C.2
Cobalt Strike: 'tasklist -v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4]
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.F.2
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.F.3
Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
2.G.1
Cobalt Strike: 'net user -domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
2.G.2
Cobalt Strike: 'net user george -domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
General Behavior (Delayed, Configuration Change, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection).[EG8] This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9]
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Bypass User Account Control
(T1088)
Telemetry
Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. [EG7] During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3]
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Access Token Manipulation
(T1134)
Telemetry
Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens. [EG7] During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3] [4]
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior
A Specific Behavior alert was generated for process injection into cmd.exe. [1] [2] [3] [4] [5]
4.A.1
Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
Remote System Discovery
(T1018)
Telemetry
Telemetry showed the process creation of net group with command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed)
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
4.A.2
Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
Remote System Discovery
(T1018)
Telemetry
Telemetry showed the process creation of net group with command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed)
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
Telemetry showed the process creation of netsh with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry
Telemetry showed the process creation of netstat with command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed)
The capability enriched the netstat command with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and  Tactic (Discovery). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping). [1] [2]
Cobalt Strike: Credential dump capability involved process injection into lsass
Process Injection
(T1055)
Telemetry
Telemetry showed privileged accesses (PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION) into lsass.exe. [1] [2] [3] [4] [5]
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping). [1] [2]
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Process Injection
(T1055)
Specific Behavior
A Specific Behavior alert was generated for the correct ATT&CK Technique (Process Injection). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed multiple privileged accesses (including PROCESS_CREATE_THREAD) into lsass, indicative of Process Injection (tainted by the Process Injection alert). [1] [2] [3] [4] [5]
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Specific Behavior
A Specific Behavior alert was generated for Privilege Escalation based on rundll32.exe as Debbie, spawning the process cmd.exe as George, which indicated a possible stolen token. The alert was mapped to the correct ATT&CK Technique (T1134 - Access Token Manipulation) and Tactics (Privilege Escalation, Defense Evasion). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the users change in the parent-child processes of rundll32.exe and cmd.exe (tainted by the Privilege Escalation alert). [1] [2] [3] [4]
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Process Injection alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
6.B.1
Cobalt Strike: C2 channel modified to use port 80
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed a TCP port 80 connection from rundll32.exe to 192.168.0.4 (C2 server). The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5] [6] [7] [8]
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically). [1] [2] [3] [4] [5]
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Multiband Communication
(T1026)
Telemetry (Tainted)
Telemetry showed connections over DNS as well as over port 80, which could indicate multiband communication. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2]
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
Telemetry showed a connection over port 3389 to 10.0.0.5 (Conficker) as well as a Type 10 (interactive remote) login event by user George on Conficker. The port 3389 telemetry was tainted by a parent Process Injection alert. [1] [2] [3] [4] [5]
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
None
No detection capability demonstrated for this procedure.
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Graphical User Interface
(T1061)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Account Discovery
(T1087)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed the creation of updater.dll (tainted by the parent Malicious File Detection). [1] [2] [3] [4]
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Enrichment (Delayed, Tainted)
The capability enriched the event tree with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment
The capability enriched data from a hunt for persistence via scheduled task, which showed the "Resume Viewer Update Checker" scheduled task. [1] [2] [3] [4] [5]
Specific Behavior (Tainted)
A Specific Behavior alert for "Persistence-Scheduled Task Creation" was generated (tainted by parent Malicious File Detection alert).  The alert was also mapped to the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showing creation of the scheduled task data was also visible in a event tree (tainted by parent Malicious File Detection alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
8.A.1
Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Enrichment (Delayed, Tainted)
The capability enriched dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection.[EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing dir with command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Enrichment (Delayed, Tainted)
The capability enriched tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection).[EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing tree with command-line arguments.[EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate keylogging, but no proof of execution was identified. [1] [2] [3]
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate screen capture, but no proof of execution was identified. [1]
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
A Specific Behavior alert for process injection was generated with cmd.exe as the source. The alert was tainted by parent Malicious File Detection and process injection alerts, and was also labeled with the correct ATT&CK Technique (T1055 - Process Injection) and Tactics (Defense Evasion and Execution). [1] [2] [3] [4] [5]
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure, though file creation telemetry showed that the .vsdx file was created (no indication it was created from a shared drive). [1]
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Tainted)
Telemetry showed the process chain for rundll32.exe execution of update.dat. The telemetry was tainted by the parent alert for "RunDLL32 with Suspicious DLL Location." [1] [2] [3]
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
Telemetry within the event tree showed rundll32.exe executing updater.dll. The telemetry was tainted by a Malicious File Detection alert for updater.dll and a Process Injection alert. [1] [2] [3] [4] [5]
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Valid Accounts
(T1078)
Telemetry (Tainted)
Telemetry showed that the userinit.exe process was running as the user Jesse, indicating Jesse logged in. The telemetry was tainted by the parent "Start Folder Persistence" alert. [1] [2] [3] [4] [5]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed a Type 10 logon event (corresponding to interactive) for Jesse as well remote connections over port 3389 to 10.0.0.5 (Conficker). [1] [2] [3] [4] [5]
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry (Tainted)
Telemetry showed the process events associated with wscript.exe executing the autoupdate.vbs script (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated for "Windows Script Executing PowerShell" due to wscript.exe launching powershell.exe. The alert was mapped to the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior
A Specific Behavior alert was generated indicating that powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution). [1] [2] [3] [4] [5] [6] [7]
11.B.1
Empire: C2 channel established using port 443
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Tainted)
A Specific Behavior alert for "PowerShell Making Network Connections" was triggered due to powershell.exe making a connection over port 443. The alert was tainted by a parent alert and mapped to the correct ATT&CK Tactic (Command and Control). [1] [2] [3] [4] [5] [6] [7] [8]
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS. [1] [2] [3] [4] [5]
Empire: Encrypted C2 channel established using HTTPS
Standard Cryptographic Protocol
(T1032)
Telemetry (Tainted)
Telemetry showing the decoded powershell.exe command-line arguments showed a connection to over HTTPS to www.freegoogleadsenseinfo.com (C2 domain) (tainted by parent alert). Telemetry also showed a connection to letsencrypt.org, which could indicate use of a cert for HTTPS. [1] [2]
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed powershell.exe executing route.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
12.A.2
Empire: 'ipconfig -all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
12.B.1
Empire: 'whoami -all -fo list' via PowerShell
System Owner/User Discovery
(T1033)
Enrichment (Delayed, Tainted)
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed powershell.exe executing whoami.exe with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts). [1] [2] [3] [4]
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed powershell.exe executing net.exe with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry (Tainted)
Telemetry showed the creation of the PowerShell Process (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for "PowerShell with Unusual Arguments" that coincided with the execution of WinEnum (tainted by parent PowerShell alerts). The alert also identified a related ATT&CK Technique (T1086 - PowerShell) and Tactic (Execution). From the alert, the Interactive Shell was used to analyze the PowerShell script and the function Invoke-WinEnum was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-UserInfo was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8]
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AD Group Memberships was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Password Last changed was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1]
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Last 5 files opened was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4]
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Interesting Files was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4]
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
Telemetry (Tainted)
Telemetry showed the creation of a PowerShell sub-process and decoded the command within the capability to show Windows.Clipboard (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Clipboard Contents was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Windows Last Updated was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7]
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9]
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Services was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Available Shares was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Mapped Network Drives was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AV Solution was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Firewall Rules was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2]
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed.[EG13] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Enrichment (Delayed, Tainted)
The capability enriched netstat.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
An event tree from the suspicious PowerShell process showed a netstat subprocess that was created by WinEnum (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed.[EG13][EG11] Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
12.F.1
Empire: 'net group "Domain Admins" -domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.F.2
Empire: 'net�localgroup�administrators' via PowerShell
Permission Groups Discovery
(T1069)
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Enrichment (Delayed, Tainted)
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
12.G.2
Empire: 'net user -domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment (Delayed, Tainted)
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts.[EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
13.A.1
Empire: 'net group "Domain Computers" -domain' via PowerShell
Remote System Discovery
(T1018)
Enrichment (Delayed, Tainted)
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed net.exe executing with command-line arguments (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for enumerating Windows network admin shares as part of Discovery (tainted by parent alert). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed, Tainted)
The capability enriched net.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery), a related ATT&CK Technique (Remote System Discovery), and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Enrichment (Delayed, Tainted)
The capability enriched netstat.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed execution of netstat.exe with command-line arguments (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
13.C.1
Empire:�'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Enrichment (Delayed, Tainted)
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments (tainted by parent alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Telemetry
Telemetry showed a mismatch between the logon id (authentication id) of parent (powershell.exe - 312288) and child (powershell.exe - 10184789) processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. [1] [2] [3]
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Remote File Copy
(T1105)
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Standard Application Layer Protocol
(T1071)
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4] [5]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Commonly Used Port
(T1043)
General Behavior
A General Behavior alert for Command and Control was triggered because of PowerShell making a connection over TCP port 8080. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showing decoded PowerShell telemetry extracted from the command-line arguments showed a connection over port 8080 with a HTTP request to download wdbypass payload. [1] [2] [3] [4] [5] [6] [7] [8]
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Input Capture
(T1056)
None
No detection capability demonstrated for this procedure, though the capability pulled PowerShell Script Block logs from the host to show the execution of Get-KeyStrokes. [1] [2] [3]
Empire: Built-in keylogging module included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure.
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure. [EG1] Had malicious access to it_tasks been detected, response actions allow file retrieval which could have identified credentials in files.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Enrichment (Tainted)
The capability enriched each individual net.exe logon attempt with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Windows Admin Shares
(T1077)
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5] [6]
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Valid Accounts
(T1078)
Enrichment (Tainted)
The capability enriched the net.exe connection using valid credentials for Kmitnick with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�
Windows Admin Shares
(T1077)
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed logon attempt targeting ADMIN$ via net.exe and command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Brute Force
(T1110)
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and  Tactics (Execution, Lateral Movement). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Enrichment (Tainted)
The capability enriched each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
16.C.1
Empire: 'net use -delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
Telemetry showed a event tree containing net.exe and command-line arguments (tainted by parent PowerShell alert). [1]
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Specific Behavior (Tainted)
A Specific Behavior alert was triggered for each individual net.exe connection with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). The alert was also tagged with  the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) . [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed logon attempt targeting C$ via net.exe and command-line arguments. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6]
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Valid Accounts
(T1078)
Enrichment (Tainted)
The capability enriched the net.exe connection (using valid credentials for Kmitnick) with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert). [1] [2] [3] [4] [5]
Enrichment (Delayed, Tainted)
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5]
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed creation of autoupdate.vbs (tainted by parent PowerShell alert). [1] [2] [3] [4]
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�
Command-Line Interface
(T1059)
Enrichment (Delayed, Tainted)
The capability enriched the execution of autoupdate.vbs with a related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution). (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3]
Enrichment (Tainted)
The capability enriched events related to cmd.exe launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert). [1] [2] [3]
Telemetry (Tainted)
Telemetry showed cmd.exe execution and associated user context change (tainted by parent PowerShell alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3]
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
Telemetry for file creation events was available, and would show the creation of update.vbs. No screenshot for the event was made available, though other file creation events, as well as the subsequent execution of update.vbs was identified. [1] [2] [3] [4]
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed sc.exe execution to query services on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Specific Behavior
A Specific Behavior alert was generated on the AdobeUpdater service named "Persistence-New Service". The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence). [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe execution to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Masquerading
(T1036)
Telemetry (Tainted)
Telemetry showed sc.exe executions to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs as well as set the description of the service. An analyst could use this information to determine masquerading occurred. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3]
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed sc.exe execution to query the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.  [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Specific Behavior
A Specific Behavior alert was generated for the sc.exe command to start AdobeUpdater named "Service Command Lateral Movement". The alert was also tagged with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). [1] [2]
Enrichment (Delayed, Tainted)
The capability enriched sc.exe with the correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution). The event was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.  [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Telemetry (Tainted)
Telemetry showed sc.exe execution to start the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Delayed, Tainted)
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8] [9]
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File and Directory Permissions Modification
(T1222)
Telemetry (Tainted)
Telemetry showed powershell.exe executing takeown.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2]
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File and Directory Permissions Modification
(T1222)
Telemetry (Tainted)
Telemetry showed powershell.exe executing icacls.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2]
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Specific Behavior
A Specific Behavior alert was generated named "Persistence-Accessibility Features" based on magnifier.exe being overwritten. The alert was tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the overwrite of magnify.exe and was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Enrichment (Delayed, Tainted)
The capability enriched the magnify.exe overwrite with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent powershell.exe alerts on " PowerShell with Unusual Arguments" and "PowerShell Network". [1] [2]
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure. [EG16] Telemetry was available for the write file of shockwave_network.vsdx into the Recycle Bin, but no data was available that indicated it came from a network shared drive. [1]
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
None
No detection capability demonstrated for this procedure.[EG15] Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy. [1] [2] [3]
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. [1] [2] [3] [4]
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Enrichment (Delayed, Tainted)
The capability enriched recycler.exe with a related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by a parent Windows Script Executing PowerShell alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
Data Encrypted
(T1022)
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2]
Enrichment (Delayed, Tainted)
The capability enriched recycler.exe with the correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration). The enrichment was tainted by parent Windows Script Executing PowerShell alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data. The telemetry was tainted by parent Windows Script Executing PowerShell alert. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2]
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Specific Behavior (Tainted)
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by parent Windows Script Executing PowerShell alert. [1] [2] [3]
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Tainted)
Telemetry showed the creation of ftp.txt and ftp.exe executing with command-line arguments. Telemetry also showed the FTP connection to 192.168.0.4 (C2 server) on port 21. [1]
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
None
No detection capability demonstrated for this procedure, though there was telemetry to show the creation of old.rar. A host query for the file showed the old.rar no longer exists, but no deletion event was seen. [1]
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry
Telemetry showed a deletion event for recycler.exe caused by powershell.exe. [1]
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry (Tainted)
Telemetry in the event tree showed the execution of magnify.exe by utilman.exe (tainted by the Windows File Name Mismatch alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Enrichment (Delayed, Tainted)
The capability enriched magnify.exe with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by the Windows File Name Mismatch alert). [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4]
Specific Behavior
A Specific Behavior alert was generated on Windows File Name Mismatch between magnify.exe and cmd.exe, indicating this could be used for accessibility features in the description. The alert is tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution). [1] [2] [3] [4]
RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed a connection to port 3389 on Creeper (10.0.0.4) with information transmitted in bytes indicating a RDP session was established. [1] [2] [3] [4] [5]
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner/User Discovery
(T1033)
Enrichment (Delayed, Tainted)
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by an alert on Windows File Name Mismatch-Accessibility Features. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed whoami.exe was executed from magnify.exe. The telemetry was tainted by an alert on Windows File Name Mismatch-Accessibility Features. [EG11] Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections. [1] [2] [3] [4] [5] [6] [7] [8]







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.A.1 Execution

Rundll32

i. Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

1.A.1 Execution

Scripting

i. Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port

i. Cobalt Strike: C2 channel established using port 53

1.C.1 Command and Control

Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

1.C.1 Command and Control

Data Encoding

i. Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig -all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner/User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist -v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators -domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" -domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user -domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george -domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Privilege Escalation

Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.A.1 Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" -domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.1 Credential Access

Process Injection

i. Cobalt Strike: Credential dump capability involved process injection into lsass

5.A.2 Credential Access

Credential Dumping

i. Cobalt Strike: Built-in hash dump capability executed

5.A.2 Credential Access

Process Injection

i. Cobalt Strike: Hash dump capability involved process injection into lsass.exe

5.B.1 Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port

i. Cobalt Strike: C2 channel modified to use port 80

6.B.1 Command and Control

Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

6.B.1 Command and Control

Multiband Communication

i. Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.A.1 Persistence

Graphical User Interface

i. Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

7.A.1 Persistence

Account Discovery

i. Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

7.B.1 Command and Control

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Persistence

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection

Input Capture

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.C.1 Collection

Application Window Discovery

i. Cobalt Strike: Keylogging capability included residual enumeration of application windows

8.D.1 Collection

Screen Capture

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

8.D.1 Collection

Process Injection

i. Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Exfiltration

Data from Network Shared Drive

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Exfiltration

Exfiltration Over Command and Control Channel

i. Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Persistence

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Persistence

Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

10.B.1 Persistence

Remote Desktop Protocol

i. RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

Step 11: Initial Access

11.A.1 Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port

i. Empire: C2 channel established using port 443

11.B.1 Command and Control

Standard Application Layer Protocol

i. Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

11.B.1 Command and Control

Standard Cryptographic Protocol

i. Empire: Encrypted C2 channel established using HTTPS

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig -all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami -all -fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Discovery

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner/User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Discovery

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" -domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net�localgroup�administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user -domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" -domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire:�'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Privilege Escalation

Bypass User Account Control

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

14.A.1 Privilege Escalation

Remote File Copy

i. Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

14.A.1 Privilege Escalation

Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

14.A.1 Privilege Escalation

Commonly Used Port

i. Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Step 15: Credential Access

15.A.1 Credential Access

Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.A.1 Credential Access

Application Window Discovery

i. Empire: Built-in keylogging module included residual enumeration of application windows

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda

16.A.1 Credential Access

Windows Admin Shares

i. Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

16.B.1 Lateral Movement

Valid Accounts

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.B.1 Lateral Movement

Windows Admin Shares

i. Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�

16.B.1 Lateral Movement

Brute Force

i. Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use -delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.D.1 Lateral Movement

Valid Accounts

i. Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

16.E.1 Command and Control

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�

16.G.1 Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Privilege Escalation

New Service

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.I.1 Privilege Escalation

Masquerading

i. Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.A.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

17.B.1 Persistence

File and Directory Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Persistence

File and Directory Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

18.B.1 Collection

Data from Network Shared Drive

i. Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 19: Exfiltration

19.A.1 Command and Control

Masquerading

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.A.1 Command and Control

Remote File Copy

i. Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

19.B.1 Defense Evasion

Data Compressed

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.B.1 Defense Evasion

Data Encrypted

i. Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

19.B.1 Exfiltration

Masquerading

i. Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

19.C.1 Defense Evasion

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence

Accessibility Features

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.A.1 Persistence

Remote Desktop Protocol

i. RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

20.B.1 Execution

System Owner/User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)