Home  >  Results  >  CarbonBlack  >  Overview
Response
Carbon Black
Tags:    

CarbonBlack Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
  
Telemetry within the process tree showed Resume Viewer.exe running along with its children.
General Behavior
  
A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon "Newly Executed Applications".
Telemetry from process tree showing Resume Viewer.exe execution sequence
General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application
Rundll32
(T1085)
Telemetry
  
Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing.
Enrichment
  
The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique).
Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe
Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32)
Scripting
(T1064)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script.
Enrichment
  
The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting).
Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script
Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting)
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder.
Enrichment
  
The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder).
Telemetry showing filemods indicating update.bat was written to the Startup folder
Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a network connection over UDP port 53.
Telemetry showing network connection over UDP port 53
Data Encoding
(T1132)
None
  
No detection capability demonstrated for this procedure.
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure.
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments.
Enrichment
  
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery).
Telemetry from process tree showing ipconfig.exe with command-line arguments
Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments.
Enrichment
  
The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery).
Telemetry from process tree showing arp.exe with command-line arguments
Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing echo with command-line arguments.
Telemetry from process tree showing echo with command-line arguments
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments.
Enrichment
  
The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery).
Telemetry from process tree showing tasklist.exe with command-line arguments
Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing sc.exe with command-line arguments.
Enrichment
  
The capability enriched sc.exe with the correct ATT&CK Technique (System Service Discovery).
Telemetry from process tree showing sc.exe with command-line arguments
Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (System Service Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing systeminfo.exe.
Enrichment
  
The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery).
Telemetry from process tree showing systeminfo.exe
Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with tag Administrator Enumeration
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with tag Administrator Enumeration
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with tag Administrator Enumeration
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
Telemetry from process tree showing reg.exe with command-line arguments
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation.
Telemetry showing svchost.exe command line arguments, specifically seclogon
Telemetry showing svchost.exe activity related to token manipulation
Bypass User Account Control
(T1088)
None
  
No detection capability demonstrated for this procedure.
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Telemetry
  
Telemetry showed "crossproc" events indicative of Process Injection into cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated that was mapped to correct ATT&CK Technique (Process Injection).
Telemetry showing open handles and thread injection into cmd.exe
Telemetry showing CreateRemoteThread API call used for thread injection into cmd.exe
Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK technique (Account Discovery)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK technique (Account Discovery)
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing netsh.exe with command-line arguments.
Enrichment
  
The capability enriched netsh.exe with a related ATT&CK technique (T1063 - Security Software Discovery) and a tag for Potential Windows Firewall Rule Recon.
Telemetry from process tree showing netsh.exe with command-line arguments
Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing netstat.exe with command-line arguments.
Enrichment
  
The capability enriched netstat.exe with the correct ATT&CK technique (System Network Connections Discovery).
Telemetry from process tree showing netstat.exe with command-line arguments
Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
Specific Behavior
  
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe
Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping)
Process Injection
(T1055)
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection.
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe
Process Injection
(T1055)
Telemetry
  
Telemetry showed a new thread and open handle into lsass.exe, which is indicative of process injection for credential dumping.
Specific Behavior
  
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
Telemetry showing cross process events, specifically a new thread and open handle into lsass.exe
Specific Behavior alert showing correct ATT&CK Technique (Process Injection)
Alert showing correct ATT&CK Technique (Process Injection) within process tree
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed a change in user execution context from Debbie to George between parent and child processes, which is indicative of token manipulation.
Telemetry showing parent cmd.exe process running under user context Debbie
Telemetry showing child cmd.exe process running under user context George
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry
  
Telemetry showed cmd.exe executing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
Telemetry from process tree showing reg.exe with command-line arguments
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed network connections over TCP port 80 to 192.168.0.4 (C2 server).
Enrichment
  
The capability enriched the network connections from rundll32.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port).
Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server)
Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port)
Multiband Communication
(T1026)
Telemetry
  
Telemetry showed separate network connections over port TCP port 80 and UDP port 53, which could indicate multiband communication.
Telemetry showing network connection over TCP port 80
Telemetry showing network connection over UDP port 53
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed network connections over TCP port 80 as well as a modload showing winhttp.dll was loaded, which an analyst could use to determine HTTP was used.
Telemetry showing modloads showing winhttp.dll loaded
Telemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol)
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing.
Enrichment
  
The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol).
Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker)
Telemetry showing rdpclip.exe running
Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed Registry modification events related to the creation of the user account Jesse.
Enrichment (Configuration Change)
  
 
The capability enriched lsass.exe with the tag "Create Accounts using GUI". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started.
Telemetry showing Registry modifications for new user Jesse
Enrichment of lsass.exe with tag "Create Accounts using GUI"
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lusrmgr.msc
Account Discovery
(T1087)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed file modification events indicating updater.dll being created and written to disk.
Telemetry showing updater.dll written to disk
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed the process tree containing schtasks.exe as well as the full command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated mapped to the correct ATT&CK Technique (T1053 - Scheduled Task).
Telemetry showing process tree containing schtasks.exe and full command a task creation
Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task)
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed cmd.exe executing dir with command-line arguments.
Enrichment
  
The capability enriched cmd.exe with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
Telemetry from process tree showing dir with command-line arguments
Enrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed cmd.exe executing tree.com with command-line arguments.
Enrichment
  
The capability enriched tree.com with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
Telemetry from process tree showing tree.com with command-line arguments
Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure. The vendor indicated that CB Defense sees applicable API calls, but that product was not included in the evaluation.
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure, though modloads showed the thumbnail com object masquerading followed by a modload of dwmapi.dll (Microsoft Desktop Windows Manager API) and then a crossprocess (open process) to the target application, which could be indicative of screen capture behavior.
Telemetry showing modloads and crossprocess events (does not count as a detection)
Process Injection
(T1055)
Telemetry
  
Telemetry showed a cross-process "open handle" event into explorer.exe, which could be indicative of process injection.
Telemetry showing "open handle" crossproc on explorer.exe by the process
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry within the process tree showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry within the process tree showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with "-k netsvcs -p -s Schedule" arguments
Telemetry from process tree showing updater.dll executed by rundll32.exe
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
Enrichment
  
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
Telemetry from process tree showing rdpclip.exe running as user Jesse
Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)
Valid Accounts
(T1078)
Telemetry
  
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
Enrichment
  
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
Telemetry from process tree showing rdpclip.exe running as user Jesse
Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Enrichment
  
The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell).
Telemetry
  
Telemetry of a process tree showed powershell.exe execution, including full command-line arguments.
Specific Behavior
  
A Specific Behavior Alert was generated indicating that powershell.exe was a suspicious child process of wscript.exe.
Specific Behavior
  
A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments. 
Enrichment of wscript.exe and powershell.exe with correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell)
Telemetry showing process tree of script execution
Specific Behavior alerts for Powershell scripting
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Enrichment
  
The capability enriched backgroundtaskhost.exe and powershell.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port).
Telemetry
  
Telemetry showed network connections, including over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain).
Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port)
Telemetry showing network connections, including over TCP port 443
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used.
Telemetry showing modloads and certificate check
Standard Cryptographic Protocol
(T1032)
Telemetry
  
Telemetry showed modload events importing dynamic libraries usually used for HTTP and SSL communication (e.g. winhttp.dll), followed by a CRL check to a CA, indicating that HTTPS was likely used.
Telemetry showing modloads and certificate check
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing route.exe with command-line arguments.
Telemetry from process tree showing route.exe with command-line arguments
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing ipconfig.exe with command-line arguments.
Enrichment
  
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1049 - System Network Configuration Discovery).
Telemetry from process tree showing ipconfig.exe with command-line arguments
Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing whoami.exe with command-line arguments.
Enrichment
  
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery).
Telemetry from process tree showing whoami.exe with command-line arguments
Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing qprocess.exe with command-line arguments.
Enrichment
  
The capability enriched qprocess.exe with the correct ATT&CK Technique (Process Discovery).
Telemetry from process tree showing qprocess.exe with command-line arguments
Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
Telemetry from process tree showing net.exe with command-line arguments
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry
  
Telemetry showed process execution of powershell.exe. The powershell.exe process loaded several non-default dynamically loaded libraries that may indicate the functionality may be used by the PowerShell script.
Telemetry showing powershell.exe execution
Telemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry within the process tree showed netstat.exe executing with command-line arguments.
Enrichment
  
The capability enriched netstat.exe with the correct ATT&CK Technique (System Network Connections Discovery).
Telemetry from process tree showing netstat.exe with command-line arguments
Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry
  
Telemetry within the process tree showed powershell.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery).
Telemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry
  
Telemetry showed a process tree containing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery).
Telemetry showing process tree with net.exe and command-line arguments
Enrichment of net.exe with related ATT&CK Technique (Account Discovery)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery).
Telemetry
  
The vendor demonstrated to MITRE that the capability can provide telemetry of net.exe, but no screenshot was captured for this procedure.
Enrichment of net.exe with related ATT&CK Technique (Account Discovery)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry showed a process tree containing netstat.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery).
Telemetry showing process tree with netstat.exe and command-line arguments
Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry
  
Telemetry showed a process tree containing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe data with the correct ATT&CK Technique (Query Registry).
Telemetry showing process tree with reg.exe and command-line arguments
Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
None
  
No detection capability demonstrated for this procedure.
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed network connection to 192.168.0.5 (C2 server) over TCP port 8080.
Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080
Remote File Copy
(T1105)
Telemetry
  
The vendor demonstrated to MITRE that the capability can provide telemetry of network connections and file modifications indicating a Remote File Copy, but no screenshot was captured for this procedure.
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure.
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
Telemetry
  
Telemetry showed modloads associated with the execution of a keylogger.
Enrichment
  
The capability enriched the events with a tag titled "PowerShell Input Capture -keylogger" based on known modloads that could be potentially abused to provide keylogger functionality.
Telemetry showing modloads associated with keylogger
Enrichment of data with tag "PowerShell Input Capture -keylogger"
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry
  
Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying.
Enrichment (Configuration Change)
  
 
The capability enriched individual net.exe events with tagging titled "Credential Access using Admin Shares - Failed Attempts". The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change.
Telemetry showing process tree with four different net.exe logon attempts
Enrichment of the individual net.exe logon attempts with tag "Credential Access using Admin Shares - Failed Attempts"
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$.
Specific Behavior
  
Specific Behavior alerts titled "Windows Admin Shares - Lateral Movement" were generated for credential accesses specifically targeting admin shares.
Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$
Specific Behavior alerts for of the 4 different net.exe logon attempts
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed a process tree containing repeated logon attempts via net.exe targeting ADMIN$, eventually resulting in a successful logon.
Specific Behavior
  
Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$
Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a process tree containing a successful logon via net.exe.
Telemetry showing process tree with five different net.exe logon attempts, including a success
Telemetry showing successful logon via net.exe
Brute Force
(T1110)
Telemetry
  
Telemetry showed a process tree containing repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon.
Enrichment (Configuration Change)
  
 
The capability enriched individual net.exe events with tagging titled "Credential Access using Admin Shares - Failed Attempts" for failures as well as a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons. The capability was modified after the start of the evaluation enabling enrichment to appear, so the detection is identified as a configuration change.
Telemetry showing process tree with five different net.exe logon attempts, including a success
Enrichment of the individual net.exe logon attempts, successful logons mapped to related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry
  
Telemetry showed a process tree containing net.exe and command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated indicating that a connected network share was removed.
Telemetry showing process tree with net.exe and command-line arguments
Specific Behavior alerts for removing connected network share
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments  targeting C$ using valid account credentials.
Specific Behavior
  
 Specific Behavior alerts were generated mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) for successful logons.
Telemetry showing process tree with successful net.exe logon targeting C$
Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a process tree containing a logon attempt via net.exe and command-line arguments using valid account credentials.
Telemetry showing process tree with logon using valid account credentials
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed filemods showing the creation and writing to autoupdate.vbs.
Telemetry showing creation and write to autoupdate.vbs
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry
  
Telemetry showed a process tree with cmd.exe execution and associated user context change.
Enrichment
  
The capability enriched cmd.exe event data with the correct ATT&CK Technique (T1059 - Command-Line Interface).
Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob
Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick
Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed filemods showing the creation and writing to update.vbs on remote host 10.0.0.4 (Creeper).
Telemetry showing remote creation and write to update.vbs
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed execution of sc.exe with command-line arguments to remotely query services on Creeper. Telemetry also showed module loads and a network connection to Creeper (10.0.0.4).
Enrichment
  
The capability enriched the sc.exe execution with the correct ATT&CK Technique (System Service Discovery).
Telemetry from process tree showing sc.exe execution for the service query
Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4)
Enrichment of sc.exe executing to query services with correct ATT&CK Technique (System Service Discovery)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry
  
Telemetry within the process tree showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs.
Specific Behavior
  
A Specific Behavior alert was generated for sc.exe execution to create the AdobeUpdater service with the correct ATT&CK Technique (New Service).
Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service
Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK
Masquerading
(T1036)
Telemetry
  
Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which indicates masquerading.
Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description
Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed execution of sc.exe with command-line arguments to query the AdobeUpdater service on Creeper.
Enrichment
  
The capability enriched sc.exe execution with the correct ATT&CK Technique (System Service Discovery).
Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper
Enrichment of sc.exe executing query services with correct ATT&CK Technique (System Service Discovery)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry
  
Telemetry within the process tree showed execution of sc.exe with command-line arguments to start the AdobeUpdater service on Creeper.
Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on Creeper
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry
  
Telemetry within the process tree showed reg.exe executing with command-line arguments to check if terminal services were enabled.
Telemetry from process tree showing reg.exe with command-line arguments
Query Registry
(T1012)
Telemetry
  
Telemetry within the process tree showed reg.exe executing with command-line arguments.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
Telemetry from process tree showing reg.exe with command-line arguments
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry
  
Telemetry within the process tree showed execution of takeown.exe with command-line arguments on magnify.exe.
Enrichment (Configuration Change)
  
 
The capability enriched the execution of takeown.exe with "Permission modifications". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started.
Telemetry from process tree showing takeown.exe with command-line arguments
Enrichment of takeown.exe execution with tag "Permission modifications"
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry
  
Telemetry within the process tree showed execution of icacls.exe with command-line arguments on magnify.exe.
Enrichment (Configuration Change)
  
 
The capability enriched the execution of icacls.exe with "Permission modifications". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started.
Telemetry from process tree showing icacls.exe with command-line arguments
Enrichment of icacls.exe execution with tag "Permission modifications"
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed filemod events overwriting magnify.exe in the system directory.
Specific Behavior
  
A Specific Behavior alert was generated for powershell.exe with a severity score of 51/100 when magnify.exe was replaced. The alert was also mapped to the correct ATT&CK Technique (T1015 - Accessibility Features).
Telemetry showing creation and file write replacing magnify.exe in the system directory
Specific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibility Features)
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry
  
Telemetry showed filemod events for the creation and write the .vsdx in the Recycle Bin.
Specific Behavior
  
A Specific Behavior alert was generated with a severity score of 60/100 and was correctly mapped to correct ATT&CK Technique (T1074 - Data Staged).
Telemetry showing creation of the .vsdx file in the Recycle Bin
Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct ATT&CK Technique, T1074 - Data Staged)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure. Telemetry was available for the write file of the .vsdx file into the Recycle Bin, but no data was available that indicated it came from a network shared drive.  
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
  
Telemetry showed the creation of recycler.exe. Binary metadata on recycler.exe indicated it was masquerading and had a digital signature and file metadata that matched the WinRAR utility.
Telemetry showing filemod creation of recycler.exe
Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the creation of recycler.exe. 
Telemetry showing filemod (file modification) creation of recycler.exe
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry
  
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running.
Enrichment
  
The capability enriched recycler.exe with the correct ATT&CK Technique (1002 - Data Compressed).
Process tree with telemetry showing recycler.exe and command-line arguments
Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe
Enrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed)
Data Encrypted
(T1022)
Telemetry
  
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive.
Enrichment
  
The capability enriched recycler.exe with the correct ATT&CK Technique (1022 - Data Encrypted).
Telemetry showing recycler.exe and command-line arguments with encryption password
Enrichment of recycler.exe with correct ATT&CK Technique (1022 - Data Encrypted)
Masquerading
(T1036)
Telemetry
  
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive.
Specific Behavior
  
A Specific Behavior alert was generated on execution of recycler.exe indicating it was WinRAR and was masquerading as a renamed process.
Telemetry showing recycler.exe and command-line arguments with arguments indicating it is WinRAR
Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Telemetry
  
Telemetry showed a process tree for ftp.exe being executed with command-line arguments including ftp.txt.
Enrichment
  
The capability enriched ftp.exe with the correct ATT&CK Technique (Exfil Over Alternate Protocol).
Telemetry from process tree showing execution of ftp.exe with command-line arguments
Enrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry
  
Telemetry showed the deletion of old.rar.
Telemetry showing filemod (file modification) deletion of old.rar
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry
  
Telemetry showed the deletion of recycler.exe.
Telemetry showing filemod (file modification) deletion of recycler.exe
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
  
Telemetry within the process tree that showed magnify.exe executing from utilman.exe.
Specific Behavior
  
A Specific Behavior alert was generated on execution of magnify.exe named "Suspicious screen magnifier process" with a 76/100 severity score.
General Behavior
  
A General Behavior alert was generated named "Suspicious renamed cmd process" with a 72/100 severity score.
General Behavior
  
A General Behavior alert was generated named "Execution of cmd from non-standard path" with a 60/100 severity score.
Telemetry from process tree telemetry showing magnify.exe execution
Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe showing red severity scores
Remote Desktop Protocol
(T1076)
None
  
No detection capability demonstrated for this procedure.
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry within the process tree showed magnify.exe executing whoami.exe.
Enrichment
  
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery). 
Telemetry from process tree with telemetry showing whoami.exe execution
Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)