Home  >  Results  >  CounterTack  >  Overview
GoSecure
CounterTack
Tags:    

CounterTack Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert)
Rundll32
(T1085)
Telemetry (Tainted)
  
 
Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) 
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed that autoupdate.bat was created in the Startup folder.
Telemetry showing autoupdate.bat created in Startup folder
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).
Data Encoding
(T1132)
None
  
No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically).
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed that DNS requests to freegoogleadsenseinfo.com (C2 domain) were being performed out of svchost.exe on Nimda.
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Enrichment (Tainted, Configuration Change)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment (Tainted, Configuration Change)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Enrichment (Tainted)
  
 
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. One condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File Created alert)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
Alert for PowerShell process creation (does not count as a detection)
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)
Bypass User Account Control
(T1088)
None
  
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
Alert for PowerShell process creation (does not count as a detection)
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated based on DLL injection for powershell.exe injecting into cmd.exe. The detection was labeled with Process Hijacking and Privilege Escalation and tainted by the parent "Powershell process created" alert. The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy.
Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the parent "Powershell process created" alert)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. At least one condition was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change.
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
Telemetry showing netsh.exe with command-line arguments (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
Telemetry showing netstat.exe with command-line arguments (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure, though a DDNA Scan alerted for svchost.exe and displayed details related to Project Injection. According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
Alert showing DDNA Scan for svchost.exe (does not count as a detection)
Alert showing DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)
Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)
Process Injection
(T1055)
General Behavior
  
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
General Behavior alert showing DDNA Scan for svchost.exe
General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
General Behavior alert additional details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Telemetry (Tainted)
  
 
Telemetry showed a thread create within lsass.exe from svchost.exe, which could be indicative of credential dumping. The telemetry was tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.
Telemetry showing thread create to lsass.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts)
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for process hijacking based on a thread create within lsass.exe from svchost.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.) The vendor noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy.
General Behavior
  
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. The DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
Specific Behavior alert showing process hijacking detection for lsass.exe thread create (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts)
General Behavior alert showing DDNA Scan for svchost.exe
General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure.
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. Telemetry also showed that two PIPEs were created as a result of reg.exe execution. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing reg.exe with command-line arguments (tainted by the parent "Powershell process created" alert)
Telemetry showing PIPEs created (tainted by the parent "Powershell process created" alert)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed an outbound network connection from rundll32.exe to 192.168.0.4 (C2 server) over TCP port 80. The telemetry was tainted by the parent "Sponsor Process Established Network Connection" alert.
Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent "Sponsor Process Established Network Connection" alert)
Multiband Communication
(T1026)
Telemetry (Tainted)
  
 
Telemetry showed C2 traffic was over TCP port 80 as well as earlier traffic over DNS, which could indicate multiband communication. The HTTP telemetry over TCP port 80 was tainted by the parent "Sponsor Process Established Network Connection" alert.
Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by the parent "Sponsor Process Established Network Connection" alert)
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed an outbound HTTP request to www.freegoogleadsenseinfo.com (C2 domain).
Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain)
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe creating an outbound TCP port 3389 (RDP) connection from Nimda and enriched the connection with the conditions Lateral Movement and Remote Share Access. The enrichment was tainted by the parent "Windows command prompt invoked" alert. At least one condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Telemetry
  
Telemetry also identified an inbound connection to Conficker over TCP port 3389.
Enrichment of outbound TCP port 3389 (RDP) connection with Lateral Movement and Remote Share Access (tainted by parent "Windows command prompt invoked" alert)
Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Specific Behavior (Configuration Change)
  
 
A Specific Behavior alert named "New user account created" was generated based on the Registry change identifying that the new user Jesse was created. A child event of the alert indicated that the account had been added to the local admins group (but did not identify the account creation specifically). This alert was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Specific Behavior alert for "New user account created" and event showing account name was Jesse
Child event of Specific Behavior alert showing new account added to local admins group
Graphical User Interface
(T1061)
Telemetry (Tainted)
  
 
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in) (tainted by the parent "LSA Registry Key modified" alert).
Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent "LSA Registry Key modified" alert)
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. The telemetry was tainted by the parent "LSA Registry Key modified" alert.
Telemetry showing mmc.exe running lusrmgr.msc (tainted by the parent "LSA Registry Key modified" alert) 
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed creation of updater.dll. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing creation of updater.dll (tainted by the parent "Powershell process created" alert)
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Specific Behavior
  
A Specific Behavior alert called "Schtasks with create command" was generated due to a schtasks.exe process create from cmd.exe.
Telemetry
  
Telemetry within the Schtasks alert showed a process creation of schtasks.exe from cmd.exe, and would be available in a separate view. For this alert, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
Specific Behavior alert on "Schtasks with create command" for schtasks.exe run from cmd.exe
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed that svchost.exe created cmd.exe, which executed dir. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing dir with command-line arguments (tainted by the parent "Powershell process created" alert)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed that svchost.exe created cmd.exe, which executed tree with command-line arguments. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing tree with command-line arguments (tainted by the parent "Powershell process created" alert)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe in explorer.exe. The vendor noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan from the Command-Line Interface (CLI) view by using the Process ID (PID).
Telemetry showing remote thread being created into explorer.exe (does not count as a detection)
Command-Line Interface view for host Nimda kicking off DDNA Scan for PID 11252 (does not count as a detection)
DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe into explorer.exe. The vendor also noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan. DDNA results on this process reported "This module may capture screen shots," indicating the module has the capability to perform this.
Telemetry showing remote thread being created into explorer.exe (does not count as a detection)
DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was manually initiated)
Process Injection
(T1055)
Telemetry
  
Telemetry showed a remote thread being created from cmd.exe into explorer.exe, which could be indicative of process injection.
Telemetry showing remote thread being created into explorer.exe
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed cmd.exe starting rundll32.exe, which started update.dat, as well as cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry showing cmd.exe starting rundll32.exe
Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup 
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent "Sponsor process started V2" alert.
Telemetry showing svchost.exe executing rundll32.exe (tainted by parent "Sponsor process started V2" alert)
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched a TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with the conditions Lateral Movement and Remote Share Access. One connection event was tainted by the parent "Windows command prompt invoked" alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (tainted by the parent "Windows command prompt invoked" alert)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists.
Telemetry showing explorer.exe running as Jesse
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed wscript.exe executing autoupdate.vbs and that wscript.exe created a powershell.exe process, including the encoded command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing script execution (tainted by the parent Script File Created alert)
Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert)
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed powershell.exe creating an outbound connection to 192.168.0.5 (C2 server) over TCP port 443. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe making a network connection over TCP port 443
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)
Standard Cryptographic Protocol
(T1032)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment (Tainted)
  
 
The capability showed powershell.exe executing route.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Route Spawned with Reconnaissance. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment of route.exe with conditions Reconnaissance Tool and Route Spawned with Reconnaissance (tainted by the parent Script File Created alert)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by parent Script File Created alert)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing whoami.exe with command-line arguments and enriched the command with the condition Whoami Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of whoami.exe with condition Whoami Reconnaissance Command (tainted by parent Script File Created alert)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing qprocess.exe with command-line arguments (tainted by parent Script File Created alert)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe with command-line arguments (tainted by parent Script File Created alert)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry
  
Telemetry showed powershell.exe connecting to the domain controller 10.0.0.4 (Creeper), which coincided with the execution of WinEnum. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper)
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure, though telemetry showed powershell.exe connecting to the domain controller. This could indicate AD group information was being obtained, but this was not directly detected. The vendor indicated the capability sees the start of a PowerShell connection, but would not see additional commands after that start. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) (does not count as a detection)
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command (tainted by the parent Script File Created alert)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Enrichment (Tainted)
  
 
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Enrichment (Tainted)
  
 
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with condition Net Group Reconnaissance Command (tainted by the parent Script File Created alert)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of netstat.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing netstat.exe with command-line arguments (tainted by the parent Script File Created alert)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed execution of reg.exe with command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
None
  
No detection capability demonstrated for this procedure, though an alert called "PowerShell executed encoded commands" triggered due to svchost.exe creating powershell.exe with the -enc command-line argument. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Alert for encoded PowerShell (does not count as a detection)
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent "Powershell executed encoded commands" alert)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent "Powershell executed encoded commands" alert)
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent "Powershell executed encoded commands" alert)
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure. The vendor noted the capability can create a new condition that would track all actions on a certain file of interest. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Enrichment (Tainted)
  
 
The capability enriched each individual net.exe logon attempt with the condition  "Net User Reconnaissance Command". The enrichment was tainted by the parent "Powershell executed remote commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Windows Admin Shares
(T1077)
Enrichment (Tainted)
  
 
The capability enriched individual net.exe logon attempts targeting ADMIN$ with the condition "Net User Reconnaissance Command". The enrichment was tainted by the parent "Powershell executed remote commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed encoded commands" alert)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent "Powershell executed remote commands" alert)
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent "FileExts Registry Key modified" alert)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. The telemetry was tainted by the parent "Powershell executed remote commands" alert. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent "Powershell executed remote commands" alert)
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent "FileExts Registry Key modified" alert)
Brute Force
(T1110)
Enrichment (Tainted)
  
 
The capability enriched a net.exe logon attempt targeting ADMIN$ with the condition "Net User Reconnaissance Command". The enrichment was tainted by the parent "Powershell executed remote commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (enriched with condition "Net User Reconnaissance Command", tainted by the parent "Powershell executed remote commands" alert)
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent "FileExts Registry Key modified" alert)
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by the parent "Powershell executed remote commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe and command-line arguments (tainted by the parent "Powershell executed remote commands" alert)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent "Powershell executed remote commands" alert)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent "Powershell executed remote commands" alert)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent Powershell executed remote commands alerts) . Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe creating autoupdate.vbs (tainted by parent "Powershell executed remote commands" alerts)
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe creating cmd.exe, which ran autoupdate.vbs as user Kmitnick (tainted by the parent "Powershell executed remote commands" alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing svchost.exe creating cmd.exe and executing autoupdate.vbs as user Kmitnick
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by the parent "Powershell executed remote commands" alert)
Telemetry showing wscript.exe execute autoupate.vbs and resulting powershell.exe (tainted by the parent "Powershell executed remote commands" alert)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched the update.vbs creation event with the condition "File created on hidden share (C$)". The enrichment was tainted by parent "Powershell executed remote commands" alerts. The condition contributing to enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment of powershell.exe creating update.vbs (tainted by parent "Powershell executed remote commands" alerts)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing sc.exe to remotely query services on Creeper and enriched sc.exe with enriched with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent "Powershell executed remote commands" alert. The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment showing powershell.exe executing sc.exe to query services on Creeper (enriched with condition SC Query Reconnaissance Command, tainted by the parent "Powershell executed remote commands" alert)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description. The telemetry was tainted by the parent "Powershell executed remote commands alert". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Specific Behavior (Configuration Change)
  
 
An alert called "Windows Service Registry Key modified" and a Specific Behavior alert called "New Windows service created" were generated due to the AdobeUpdater service being created in the Registry. The capability may have been modified after the start of the evaluation to create these alerts, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent "Powershell executed remote commands" alert)
Specific Behavior alert for ""New Windows service created"" and additional alert for "Windows Service Registry Key modified"
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description, which could assist an analyst in determining this was not a legitimate Adobe product. The telemetry was tainted by the parent "Powershell executed remote commands alert". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent "Powershell executed remote commands" alert)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed powershell.exe executing sc.exe to query the AdobeUpdater service on Creeper and enriched sc.exe with the condition SC QC Reconnaissance Command. The enrichment was tainted by the parent "Powershell executed remote commands alert". The capability was modified after the start of the evaluation to allow the condition contributing to Enrichment to appear, so the detection is identified as a configuration change. See Configuration page for details.
Enrichment showing powershell.exe executing sc.exe query AdobeUpdater service on Creeper (enriched with condition SC QC Reconnaissance Command, tainted by the parent "Powershell executed remote commands" alert)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe to start the AdobeUpdater service on Creeper. The telemetry was tainted by the parent "Powershell executed remote commands" alert. Telemetry from Creeper also showed services.exe creating cmd.exe, which executed the update.vbs file (showing AdobeUpdater service starting). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing sc.exe start AdobeUpdater service on Creeper (tainted by the parent "Powershell executed remote commands" alert)
Telemetry showing AdobeUpdater service starting on Creeper (tainted by the parent ""New Windows service created"" alert)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. The telemetry was tainted by the parent "New Windows service created" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing reg.exe (tainted by the parent "New Windows service created" alert)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent "New Windows service created" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing reg.exe (tainted by the parent "New Windows service created" alert)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing takeown.exe to take ownership of magnify.exe. The telemetry was tainted by the parent "New Windows service created" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing takeown.exe (tainted by the parent "New Windows service created" alert)
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe running icacls.exe to modify magnify.exe access controls. The telemetry was tainted by the parent "New Windows service created" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing icacls.exe (tainted by the parent "New Windows service created" alert)
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched powershell.exe creating and writing magnify.exe to the system directory with the condition "Creation of Sticky Keys File." The enrichment was tainted by parent "New Windows service created" alerts. The condition contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry also showed a different view of the event with powershell.exe copying cmd.exe as magnify.exe in the system directory. The telemetry was tainted by parent "New Windows service created" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing powershell.exe creating and writing magnify.exe (enriched with condition "Creation of Sticky Keys File", tainted by the parent "New Windows service created" alert)
Telemetry showing copy of cmd.exe to magnify.exe in the system directory (tainted by the parent "New Windows service created" alert)
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent "Powershell executed encoded commands" alert)
Data from Network Shared Drive
(T1039)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent "Powershell executed encoded commands" alert)
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
None
  
No detection capability demonstrated for this procedure, though telemetry later identified recycler.exe as WinRAR during execution (no detections identified it as WinRAR upon file copy). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Remote File Copy
(T1105)
General Behavior (Configuration Change)
  
 
A General Behavior alert called "Policy Dropper Behavior" was generated based on three events occurring in the same parent process within a set time frame, a network connection (TCP Outbound to 192.168.0.5 over 443) followed by an executable file create (powershell.exe creating recycler.exe) followed by a process spawning from that executable (powershell.exe creating the recycler.exe process). The capability may have been modified after the start of the evaluation to create this alert, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating recycler.exe. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
General Behavior alert for "Policy Dropper Behavior" based on three correlated events
Telemetry showing creation of recycler.exe (tainted by "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts) and powershell.exe behavior contributing to "Policy Dropper Behavior" alert
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing recycler.exe creating old.rar (enriched with "Data Exfiltration Archiving", tainted by parent "Powershell executed encoded command" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts)
Data Encrypted
(T1022)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing recycler.exe creating old.rar (enriched with "Data Exfiltration Archiving", tainted by parent "Powershell executed encoded command" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts)
Masquerading
(T1036)
Enrichment (Configuration Change, Tainted)
  
  
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts. The conditions contributing to Enrichment may have been added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Enrichment showing recycler.exe creating old.rar (enriched with "Data Exfiltration Archiving", tainted by parent "Powershell executed encoded command" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by the parent "Powershell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe executing ftp.exe (tainted by the parent "Powershell executed encoded commands" alert)
Telemetry showing outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by the parent "PowerShell executed encoded commands" alert)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe deleting old.rar from the Recycle Bin. The telemetry was tainted by the parent "PowerShell executed encoded commands" alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe deleting old.rar (tainted by the parent "PowerShell executed encoded commands" alert)
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe deleting recycler.exe. The telemetry was tainted by the parent "PowerShell executed encoded commands alert". Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe deleting recycler.exe (tainted by the parent "PowerShell executed encoded commands" alert)
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed magnify.exe executing from parent process utilman.exe (PID 3996). The telemetry was tainted by the parent POS Interactive Login Event alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing magnify.exe (tainted by the parent POS Interactive Login Event alert)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing connection to Creeper (10.0.0.4) on port 3389
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed magnify.exe executing whoami.exe. The telemetry was tainted by the parent POS Interactive Login Event alert. Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing magnify.exe executing whoami.exe (tainted by the parent POS Interactive Login Event alert)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)