Home  >  Evaluations  >  Crowdstrike  >  Procedures: Tactics
Prevent
Insight
Overwatch
Endpoint Protection Standard Bundle
Falcon
CrowdStrike
Tags:    

Tactic Results: Defense Evasion Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Vendor Configuration      All Results JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Technique
Procedures Step
Detection Type Detection Notes
Screenshots
Scripting
(T1064)
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
1.A.1
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry showed pdfhelper.cmd being executed by cmd.exe.
OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious
Telemetry showing pdfhelper.cmd execution
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
11.A.1
Specific Behavior
  
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits."
General Behavior (Delayed)
  
 
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed wscript.exe executing launcher.vbs, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a malicious script invoked by wscript was run by Bob on CodeRed and launched PowerShell. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert for PowerShell sharing characteristics with known exploit kits
General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious
Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior)
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
12.E.1
Telemetry
  
Telemetry showed the PowerShell script (.ps1) being written to the temp folder.
Specific Behavior (Delayed)
  
 
The OverWatch team generated a Specific Behavior alert indicating the PowerShell script was malicious. OverWatch is the managed threat hunting service.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating they identified a Specific Behavior for an unidentified PowerShell script running. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing the temp write of the ps1 script
OverWatch Specific Behavior alert indicating the PowerShell script was malicious
Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior)
Rundll32
(T1085)
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
1.A.1
Specific Behavior
  
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion).
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. Green arrow indicates injection.)
OverWatch General Behavior alert indicating rundll32 execution was suspicious
Access Token Manipulation
(T1134)
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
3.A.1
None
  
No detection capability demonstrated for this procedure.
Cobalt Strike: Built-in token theft capability executed to change user context to George
5.B.1
Telemetry
  
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process.
Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George
Bypass User Account Control
(T1088)
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
3.A.1
Telemetry
  
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC.
Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High)
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
14.A.1
Telemetry
  
Telemetry showed an integrity level change through a query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000), which is indicative of bypassing UAC. Telemetry also showed the Invoke-BypassUACTokenManipulation function in the script.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a base64 obfuscated PowerShell command was used to invoke UAC bypass. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000)
Telemetry showing the Invoke-BypassUACTokenManipulation function
Email excerpt from the OverWatch team indicating obfuscated PowerShell invoked UAC bypass (Specific Behavior)
Process Injection
(T1055)
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
3.C.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections.
Telemetry
  
Telemetry associated with the alert would show thread creation in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections. OverWatch is the managed threat hunting service.
Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as well as OverWatch General Behavior alert identifying behavior as suspicious
Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity)
Cobalt Strike: Credential dump capability involved process injection into lsass
5.A.1
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected).
Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
5.A.2
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode).
Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
8.D.1
Telemetry
  
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon.
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890)
Valid Accounts
(T1078)
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
10.B.1
Telemetry
  
Telemetry showed a type 10 (interactive) UserLogon event for Jesse.
Telemetry showing user logon by Jesse to Conficker
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
16.B.1
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (following multiple failed net use attempts). The telemetry was tainted by a parent powershell.exe detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the successful net use connection was suspicious. The alert was tainted by a parent powershell.exe detection. OverWatch is the managed threat hunting service.  
Telemetry from process tree showing successful net.exe connection using valid credentials of Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
16.D.1
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to the C$ share on Creeper as the user Kmitnick. The process tree view showed net.exe as tainted by a previous powershell.exe detection.
Telemetry showing successful net use connection by Kmitnick in the process tree view (tainted by previous powershell.exe detection by red line indicating high severity)
Network Share Connection Removal
(T1126)
Empire: 'net use /delete' via PowerShell
16.C.1
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments. The telemetry was tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because the user Bob removed an artifact for the ADMIN$ share. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Excerpt from email sent by OverWatch team indicating they observed ADMIN$ artifact removed (General Behavior)
Masquerading
(T1036)
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
16.I.1
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments for a new service called AdobeUpdater with binPath pointed to cmd.exe with arguments to execute update.vbs and service description "Synchronize with Adobe for security updates.". An analyst could use this information to determine it is not a legitimate service. The process tree view showed sc.exe as tainted by a previous powershell.exe detection.
Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description
Empire: File dropped to disk is a renamed copy of the WinRAR binary
19.A.1
Telemetry
  
Telemetry showed the SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR.
Telemetry showing SHA256 hash of recycler.exe
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
19.B.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was created for a RAR archive "written by a process with suspicious command line arguments.". Details showed that recycler.exe wrote a RAR archive and that recycler.exe was signed by win.rar GmbH. The process tree view showed the recycler.exe alert as tainted by a previous powershell.exe detection.
Telemetry
  
Telemetry within the alert showed the command-line details for the execution of recycler.exe, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because a .vsdx file was archived for likely exfiltration using the renamed WinRAR binary, recycler.exe. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Specific Behavior alert showing recycler.exe was identified as WinRAR (tainted by previous powershell.exe detection by red line indicating high severity)
Additional alert details showing recycler.exe was signed by win.rar GmbH
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
File Permissions Modification
(T1222)
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
17.B.1
Telemetry (Tainted)
  
 
Telemetry showed takeown.exe executing with command-line arguments. The process tree view showed takeown.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because takeown.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed takeown.exe executed to bypass Windows logon (General Behavior)
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
17.B.2
Telemetry (Tainted)
  
 
Telemetry showed execution of icacls.exe with command-line arguments. The process tree view showed icacls.exe as tainted by a previous powershell.exe detection.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because icacls.exe was executed to bypass Windows logon. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed icacls.exe executed to bypass Windows logon (General Behavior)
File Deletion
(T1107)
Empire: 'del C:\"$"Recycle.bin\old.rar'
19.D.1
Telemetry
  
Telemetry showed the deletion of old.rar with an event name of FileDeleted.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including old.rar) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing deletion of old.rar
Email excerpt sent by OverWatch team indicating they observed old.rar being deleted (Specific Behavior)
Empire: 'del recycler.exe'
19.D.2
Telemetry
  
Telemetry showed the deletion of recycler.exe with an event name of ExecutableDeleted.
Specific Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a Specific Behavior was observed because files (including recycler.exe) were deleted from the host CodeRed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry showing deletion of recycler.exe
Email excerpt sent by OverWatch team indicating they observed recycler.exe being deleted (Specific Behavior)


Operational Flow

The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical user Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permissions Group Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permissions Group Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Querying the Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts , Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)