Home  >  APT3  >  Results  >  Microsoft  >  All Results

Microsoft: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix Legacy JSON JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures
Technique
Detection Type Detection Notes
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed. Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8]
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
Rundll32
(T1085)
General Behavior (Delayed)
A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat. [1] [2]
Telemetry
Telemetry showed the execution sequence for rundll32.exe running update.dat. [1] [2]
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
Scripting
(T1064)
Telemetry
Telemetry within a process tree showed the child cmd.exe process running the script pdfhelper.cmd. [1]
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie's Startup folder to establish persistence. [1]
1.C.1
Cobalt Strike: C2 channel established using port 53
Commonly Used Port
(T1043)
None
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically). [1]
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Telemetry (Configuration Change)
Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events. [1]
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
Data Encoding
(T1132)
None
No detection capability demonstrated for this procedure.
2.A.1
Cobalt Strike: 'ipconfig -all' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3]
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing arp.exe with command-line arguments. [1] [2] [3]
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2]
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist -v' via cmd
Process Discovery
(T1057)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3]
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing sc.exe with command-line arguments. [1] [2] [3]
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2]
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe running systeminfo.exe. [1] [2] [3]
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2]
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3]
2.F.2
Cobalt Strike: 'net localgroup administrators -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3]
2.F.3
Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4]
2.G.1
Cobalt Strike: 'net user -domain' via cmd
Account Discovery
(T1087)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3]
2.G.2
Cobalt Strike: 'net user george -domain' via cmd
Account Discovery
(T1087)
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4]
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2]
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Bypass User Account Control
(T1088)
Telemetry (Tainted)
Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3]
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
Access Token Manipulation
(T1134)
Telemetry (Tainted)
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2]
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection. Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched data showing powershell.exe injecting into cmd.exe (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4]
4.A.1
Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2]
4.A.2
Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2]
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing netsh.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2]
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing netstat.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe). [1] [2]
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Delayed)
A Specific Behavior alert was generated on credential memory access. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled. [1] [2] [3] [4]
Cobalt Strike: Credential dump capability involved process injection into lsass
Process Injection
(T1055)
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection into lsass.exe. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3]
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Enrichment (Tainted)
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled. [1] [2]
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
Process Injection
(T1055)
Specific Behavior (Delayed)
A Specific Behavior alert was generated for process injection into lsass.exe. The alert was rolled up under the prior lsass.exe process injection alert and the last activity seen field was updated. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3]
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry (Tainted)
Telemetry showed svchost.exe as a high integrity process from SYSTEM and subsequent cmd.exe process running as user George (tainted by the parent alert on suspicious process injection into lsass.exe). Svchost.exe was executed with seclogon command-line argument indicating token manipulation. [1] [2] [3]
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed the execution sequence of reg.exe executing with command-line arguments. The telemetry was tainted by the relationship to prior rundll32.exe activity based on process injection alert context. [1] [2]
6.B.1
Cobalt Strike: C2 channel modified to use port 80
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed the execution sequence for rundll32.exe opening a connection to 192.186.0.4 (C2 server) over port 80. The telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. [1] [2]
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
Multiband Communication
(T1026)
Telemetry (Tainted)
Telemetry showed an execution sequence for rundll32.exe opening a connection to 192.168.0.4 (C2 server) over port 80, and prior activity showed DNS traffic to the same C2 IP address, which could indicate multiband communication. The port 80 telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. [1] [2] [3]
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George. [1] [2] [3] [4]
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry (Configuration Change)
Telemetry showed data for account Jesse creation after configuration change to enable collection of event ID 4720. Visibility of account creation data was verified in retesting at the end of the evaluation after vendor adjusted data collection configuration and visibility of account creation. [1]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
Graphical User Interface
(T1061)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in). [1]
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
Account Discovery
(T1087)
Telemetry
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. [1]
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry
Telemetry showed cmd.exe writing updater.dll to disk. [1]
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task. [1] [2]
Telemetry
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task. [1] [2]
8.A.1
Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
Telemetry showed the execution sequence for cmd.exe executing dir with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments. [1] [2]
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
Telemetry showed the execution sequence for cmd.exe executing tree.com with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments. [1] [2]
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on "Possible keylogging activity" against explorer.exe. [1] [2] [3]
Telemetry (Configuration Change)
Telemetry showed events indicating "explorer.exe is reading user keystrokes." The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events. Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection. [1] [2] [3]
Cobalt Strike: Keylogging capability included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
Enrichment (Configuration Change)
The capability enriched an explorer.exe process with ScreenshotTaken. The vendor stated that screen capture telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events, so this detection is identified as a configuration change. [1]
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
Process Injection
(T1055)
Enrichment
The capability enriched the execution sequence for cmd.exe injecting into explorer.exe with the label \"Inject to process.\" [1]
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
No detection capability demonstrated for this procedure. The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP.
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
Telemetry showed the execution sequence of cmd.exe executing autoupdate.bat from the Startup folder to start update.dat. [1]
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments \"-k netsvcs -p -s Schedule\". [1]
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Valid Accounts
(T1078)
Telemetry
Telemetry showed the new local user account Jesse logging into Conficker. [1]
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
Remote Desktop Protocol
(T1076)
Telemetry
Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe. [1]
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
A delayed Specific Behavior alert was generated for suspicious PowerShell command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior
A Specific Behavior alert was generated for PowerShell script with malicious cmdlets related to Empire. [1] [2] [3] [4] [5] [6] [7] [8]
Specific Behavior (Delayed)
A Specific Behavior alert was generated for PowerShell script with suspicious content detected through Antimalware Scan Interface extracted content. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed explorer.exe running autoupdate.vbs through wscript.exe and subsequent execution of PowerShell script and cmdlets. [1] [2] [3] [4] [5] [6] [7] [8]
11.B.1
Empire: C2 channel established using port 443
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over port 443 (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert also showed decoded command-line arguments containing port 443. [1] [2] [3]
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
Standard Application Layer Protocol
(T1071)
Indicator of Compromise (Configuration Change)
An Indicator of Compromise alert was generated on the C2 domain. Vendor added detection for evaluation C2 domain using the standard customer-facing custom detection capabilities of the product. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain. [1] [2] [3]
Empire: Encrypted C2 channel established using HTTPS
Standard Cryptographic Protocol
(T1032)
Telemetry (Tainted)
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain. [1] [2]
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts. [1] [2] [3]
12.A.2
Empire: 'ipconfig -all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts. [1] [2] [3]
12.B.1
Empire: 'whoami -all -fo list' via PowerShell
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts. [1] [2] [3]
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by previous \"Suspicious sequence of exploration activities\" and suspicious PowerShell cmdlet alerts. [1] [2] [3]
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a previous suspicious PowerShell cmdlet alert. [1] [2] [3] [4]
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Specific Behavior
A Specific Behavior alert was generated for "A malicious PowerShell Cmdlet was invoked on the machine." [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed the execution sequence from PowerShell with several activities from the WinEnum cmdlet. The telemetry was tainted by the previous \"Suspicious sequence of exploration activities\" alert. [1] [2] [3] [4] [5]
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner/User Discovery
(T1033)
None
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
No detection capability demonstrated for this procedure.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-SysInfo. [1]
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-HotFix. [1]
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-Service. [1]
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
Telemetry
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo. [1]
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo and subsequent execution of netstat.exe with command-line arguments from powershell.exe. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4]
12.F.1
Empire: 'net group "Domain Admins" -domain' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3]
12.F.2
Empire: 'net�localgroup�administrators' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3]
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3]
12.G.2
Empire: 'net user -domain' via PowerShell
Account Discovery
(T1087)
Specific Behavior (Delayed)
A delayed Specific Behavior alert called "Reconnaissance using directory services queries" was generated for domain user enumeration. The vendor noted this was an Azure Advanced Threat Protection alert. [1] [2] [3] [4]
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert. [1] [2] [3] [4]
13.A.1
Empire: 'net group "Domain Computers" -domain' via PowerShell
Remote System Discovery
(T1018)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3]
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3]
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert). [1] [2] [3]
13.C.1
Empire:�'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
Telemetry showed execution of reg.exe with command-line arguments (tainted by suspicious sequence of exploration activities alert). [1] [2]
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Telemetry (Tainted)
Telemetry showed execution of powershell.exe executing "Invoke-BypassUACTokenManipulation" Empire cmdlet under the context of user Bob with medium integrity level, execution of svchost.exe with seclogon flag to use impersonation service with new high integrity powershell.exe process as SYSTEM, and subsequent context adjustment of powershell.exe to user Bob (tainted by the parent alert for suspicious sequence of exploration activities). [1] [2] [3] [4]
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080 as well as decoded PowerShell making a connection over port 8080 with a HTTP request to download wdbypass payload. (tainted by alert on suspicious PowerShell command-line arguments). [1] [2]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
Telemetry showed a decoded PowerShell script invoked that created a web request to the C2 server with related data showing the connection was made (tainted by alert on suspicious PowerShell command-line arguments). [1]
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
Commonly Used Port
(T1043)
Telemetry (Tainted)
Telemetry showed a connection to 192.168.0.5 (C2 server) on port 8080 was made (tainted by alert on suspicious PowerShell command-line arguments). [1] [2]
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Input Capture
(T1056)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated on keylogging activity in powershell.exe. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed powershell.exe making API calls consistent with keylogger behavior. Telemetry also showed execution of Get-Keystrokes Empire PowerShell cmdlet (tainted by alert on PowerShell script with suspicious content). Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events. [1] [2] [3] [4]
Empire: Built-in keylogging module included residual enumeration of application windows
Application Window Discovery
(T1010)
None
No detection capability demonstrated for this procedure.
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure, though telemetry was available that showed execution of Get-Content PowerShell cmdlet. Data does not show what file the cmdlet was executed on. [1]
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems. [1] [2] [3] [4] [5] [6]
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
Windows Admin Shares
(T1077)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3] [4] [5]
Telemetry (Tainted)
Telemetry showed repeated logon attempts to ADMIN$ via net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems. [1] [2] [3] [4] [5]
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Valid Accounts
(T1078)
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry showed Kmitnick login event on 10.0.0.5 (Conficker) and that 10.0.1.5 (CodeRed) accessed resources on 10.0.0.5 (Conficker). [1] [2] [3] [4]
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�
Windows Admin Shares
(T1077)
Specific Behavior (Delayed)
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3]
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
Brute Force
(T1110)
Specific Behavior (Delayed)
A Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent alert on PowerShell script with suspicious content). [1] [2] [3]
16.C.1
Empire: 'net use -delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
Telemetry showed net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
Valid Accounts
(T1078)
Telemetry (Tainted)
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed that the logon event for Kmitnick on Creeper was successful. [1] [2] [3]
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�
Command-Line Interface
(T1059)
Telemetry (Tainted)
Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick. The execution generated three new PowerShell related alerts for the initial execution sequence of Empire that tainted this event, but were not counted as separate detections for this technique. [1] [2] [3] [4]
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry (Tainted)
Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper) and the remote file copy action from 10.0.1.5 (CodeRed) (the remote file copy event on CodeRed was tainted by parent PowerShell alerts). [1] [2] [3]
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe command remotely querying services on Creeper (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Specific Behavior
A Specific Behavior alert was generated for the suspicious service registration of AdobeUpdater. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe execution to remotely create the AdobeUpdater service with a binPath set to run cmd.exe with an argument to execute update.vbs on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper shows the registry keys that were changed to add the new service [1] [2] [3] [4]
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
Masquerading
(T1036)
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe service creation command for the AdobeUpdater service with a binPath set to run update.vbs with cmd.exe on startup on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed the sc.exe command to set the service description, but a screenshot was not available. An analyst can use this information to determine AdobeUpdater is masquerading. [1] [2]
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
Telemetry from CodeRed showed sc.exe remote service query on Creeper for the AdobeUpdater service (tainted by parent alert on PowerShell script with suspicious content). [1] [2]
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)