|
Legend
|
|
|
Main Detection Categories:
|
Detection Modifiers:
|
None
Telemetry
Indicator of Compromise
General Behavior
Specific Behavior
Enrichment
|
Tainted
Delayed
Configuration Change
|
|
|
|
Cobalt Strike: 'ipconfig /all' via cmd
|
|
|
| Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'arp -a' via cmd
|
|
|
| Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
|
|
|
General Behavior (Delayed) |
| OverWatch generated a General Behavior alert indicating the execution of netsh by cmd.exe was suspicious. | |
| Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed. | |
|
|
Empire: 'route print' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing route.exe with command-line arguments. The process tree view showed route.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because route print was part of the basic reconnaissance activity performed. | |
|
|
Empire: 'ipconfig /all' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The process tree view showed ipconfig.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because ipconfig was part of the basic reconnaissance activity performed. | |
|
|
Empire: WinEnum module included enumeration of network adapters
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
|
|
|
| Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. | |
|
|
Empire: 'whoami /all /fo list' via PowerShell
|
|
|
General Behavior (Delayed, Tainted) |
| OverWatch generated a General Behavior alert indicating whoami.exe with command-line arguments was suspicious. The process tree view showed whoami.exe as tainted by a previous powershell.exe detection. | |
| Telemetry within the OverWatch alert showed powershell.exe executing whoami.exe with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because whoami was part of the basic reconnaissance activity performed. | |
|
|
Empire: WinEnum module included enumeration of user information
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
|
|
|
| Telemetry showed execution of whoami.exe. The process tree view showed whoami.exe was tainted by a previous magnify.exe detection. | |
|
|
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Cobalt Strike: 'tasklist /v' via cmd
|
|
|
| Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'qprocess *' via PowerShell
|
|
|
General Behavior (Delayed, Tainted) |
| OverWatch generated a General Behavior alert indicating qprocess.exe with command-line arguments was suspicious. The process tree view showed qprocess.exe as tainted by a previous powershell.exe detection. | |
| Telemetry within the OverWatch alert showed execution of qprocess.exe with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because qprocess was part of the basic reconnaissance activity performed performed. | |
|
|
|
|
Cobalt Strike: 'sc query' via cmd
|
|
|
| Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'net start' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
|
|
Empire: 'net start' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe and net1.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net start was part of the basic reconnaissance activity performed performed. | |
|
|
Empire: WinEnum module included enumeration of services
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
|
|
|
| Telemetry showed execution of sc.exe to query services on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. | |
Specific Behavior (Delayed) |
| The OverWatch team sent an email indicating a Specific Behavior was observed because the user Bob was querying for a particular service on Creeper. | |
|
|
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
|
|
|
| Telemetry showed sc.exe executing with command-line arguments to query the AdobeUpdater service on Creeper. The process tree view showed sc.exe as tainted by a previous powershell.exe detection. | |
Specific Behavior (Delayed) |
| The OverWatch team sent an email indicating they observed a Specific Behavior because the user Bob queried for a particular service on Creeper. | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
|
|
|
| Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. | |
|
|
|
|
Cobalt Strike: 'systeminfo' via cmd
|
|
|
| Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted. | |
General Behavior (Delayed) |
| OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'net config workstation' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. | |
|
|
Empire: WinEnum module included enumeration of system information
|
|
|
| Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. | |
|
|
Empire: WinEnum module included enumeration of Windows update information
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Cobalt Strike: 'net localgroup administrators' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
General Behavior (Delayed) |
| OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'net localgroup administrators /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
|
|
|
| The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection. | |
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. | |
|
|
Empire: WinEnum module included enumeration of AD group memberships
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'net group "Domain Admins" /domain' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
| The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. | |
|
|
Empire: 'net localgroup administrators' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was part of additional malicious discovery performed. | |
|
|
|
|
Cobalt Strike: 'net user /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted. | |
|
|
Cobalt Strike: 'net user george /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. | |
|
|
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
|
|
|
| Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. | |
|
|
Empire: 'net user' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. | |
|
|
Empire: 'net user /domain' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net user was part of additional malicious discovery performed. | |
|
|
|
|
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
|
|
|
| Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
|
|
|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process. | |
General Behavior (Delayed, Tainted) |
| OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process. | |
|
|
Empire: WinEnum module included enumeration of system information via a Registry query
|
|
|
| Telemetry from decoded PowerShell (within the capability) showed the Get-Sysinfo function. | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
|
|
|
| Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed, Tainted) |
| OverWatch generated a General Behavior alert identifying reg.exe execution as suspicious. The alert was tainted by a parent powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because reg query was part of additional malicious discovery performed. | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
|
|
|
| Telemetry showed reg.exe executing with command-line arguments. The process tree view showed reg.exe as tainted by a previous powershell.exe detection. | |
|
|
|
|
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
|
|
|
| The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). | |
| Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| OverWatch also generated a General Behavior alert identifying cmd.exe executing net as suspicious. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
|
|
|
| The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). | |
| Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| The OverWatch team identified net group as suspicious with a General Behavior alert. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. | |
|
|
Empire: 'net group "Domain Computers" /domain' via PowerShell
|
|
|
| Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
| The capability enriched net.exe with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The process tree view showed the enrichment was tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net group was part of additional malicious discovery performed. | |
|
|
|
|
Cobalt Strike: 'netstat -ano' via cmd
|
|
|
General Behavior (Delayed) |
| OverWatch generated a General Behavior alert indicating cmd.exe executing netstat with command-line arguments was suspicious. | |
| Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed. | |
|
|
Empire: WinEnum module included enumeration of established network connections
|
|
|
| Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. | |
|
|
Empire: 'net use' via PowerShell
|
|
|
| Telemetry showed net.exe executing with command-line arguments. The process tree view showed net.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because net use was part of additional malicious discovery performed. | |
|
|
Empire: 'netstat -ano' via PowerShell
|
|
|
| Telemetry showed netstat.exe executing with command-line arguments. The process tree view showed netstat.exe as tainted by a previous powershell.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team sent an email indicating a General Behavior was observed because netstat was part of additional malicious discovery performed. | |
|
|
|
|
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
|
|
|
| Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection. | |
|
|
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
|
|
|
| Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection. | |
General Behavior (Delayed, Tainted) |
| OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. | |
General Behavior (Delayed) |
| The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed. | |
|
|
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: WinEnum module included enumeration of recently opened files
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: WinEnum module included enumeration of interesting files
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Cobalt Strike: Keylogging capability included residual enumeration of application windows
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: Built-in keylogging module included residual enumeration of application windows
|
|
|
| Telemetry showed the decoded PowerShell script, which displayed the API call GetForegroundWindow to enumerate the active window. | |
|
|
|
|
Empire: WinEnum module included enumeration of password policy information
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Empire: WinEnum module included enumeration of available shares
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: WinEnum module included enumeration of mapped network drives
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Empire: WinEnum module included enumeration of AV solutions
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: WinEnum module included enumeration of firewall rules
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Operational Flow
Step 1: Initial Compromise 1.A.1 Execution User Execution, Rundll32, Scripting i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda) 1.B.1 Persistence Registry Run Keys / Startup Folder i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder 1.C.1 Command and Control Commonly Used Port, Data Encoding, Standard Application Layer Protocol i. Cobalt Strike: C2 channel established Step 2: Initial Discover 2.C.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 2.G.2 Discovery Account Discovery i. Cobalt Strike: 'net user george /domain' via cmd 2.H.1 Discovery Query Registry i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key Step 3: Privilege Escalation 3.A.1 Defense Evasion, Privilege Escalation Access Token Manipulation, Bypass User Account Control i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level 3.B.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 3.C.1 Defense Evasion, Privilege Escalation Process Injection i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe Step 4: Discovery for Lateral Movement Step 5: Credential Access 5.A.1 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in Mimikatz credential dump capability executed 5.A.2 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in hash dump capability executed 5.B.1 Defense Evasion, Privilege Escalation Access Token Manipulation i. Cobalt Strike: Built-in token theft capability executed to change user context to George Step 6: Lateral Movement 6.A.1 Discovery Query Registry i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5) 6.B.1 Command and Control Commonly Used Port, Multiband Communication, Standard Application Layer Protocol i. Cobalt Strike: C2 channel modified 6.C.1 Lateral Movement Remote Desktop Protocol i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5) Step 7: Persistence 7.B.1 Command and Control, Lateral Movement Remote File Copy i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6) 7.C.1 Execution, Persistence, Privilege Escalation Scheduled Task i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll) Step 8: Collection 8.B.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 8.D.1 Collection Screen Capture, Process Injection i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie Step 9: Exfiltration 9.A.1 Discovery File and Directory Discovery i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 9.B.1 Collection Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 10: Execution of Persistence 10.A.1 Persistence Registry Run Keys / Startup Folder i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32 10.A.2 Execution, Persistence, Privilege Escalation Scheduled Task i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32 10.B.1 Lateral Movement Remote Desktop Protocol, Valid Accounts i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse Step 11: Initial Access 11.A.1 Defense Evasion, Execution Scripting i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed) 11.B.1 Command and Control Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol i. Empire: C2 channel established Step 12: Initial Discover 12.E.1 Defense Evasion, Execution Scripting i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques 12.E.1.5 Collection Clipboard Data i. Empire: WinEnum module included enumeration of clipboard contents 12.E.1.7 Discovery Query Registry i. Empire: WinEnum module included enumeration of system information via a Registry query 12.E.1.9.2 Discovery Network Share Discovery i. Empire: WinEnum module included enumeration of mapped network drives Step 13: Discovery for Lateral Movement 13.C.1 Discovery Querying the Registry i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key Step 14: Privilege Escalation 14.A.1 Defense Evasion, Privilege Escalation Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level Step 15: Credential Access 15.B.1 Credential Access Credentials in Files i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 16: Lateral Movement 16.A.1 Credential Access Brute Force, Windows Admin Shares i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda 16.B.1 Lateral Movement Windows Admin Shares, Valid Accounts , Brute Force i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick 16.C.1 Defense Evasion Network Share Connection Removal i. Empire: 'net use /delete' via PowerShell 16.D.1 Lateral Movement Windows Admin Shares, Valid Accounts i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5) 16.E.1 Command and Control, Lateral Movement Remote File Copy i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5) 16.F.1 Execution Command-Line Interface i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick 16.G.1 Command and Control, Lateral Movement Remote File Copy i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4) 16.H.1 Discovery System Service Discovery i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4) 16.I.1 Persistence, Privilege Escalation New Service, Masquerading i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4) 16.J.1 Discovery System Service Discovery i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4) 16.K.1 Discovery File and Directory Discovery i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4) 16.L.1 Execution Service Execution i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4) Step 17: Persistence 17.B.1 Defense Evasion File Permissions Modification i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe 17.B.2 Defense Evasion File Permissions Modification i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe 17.C.1 Persistence, Privilege Escalation Accessibility Features i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe Step 18: Collection 18.A.1 Discovery File and Directory Discovery i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 18.B.1 Collection Data Staged, Data from Network Shared Drive i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5) Step 19: Exfiltration 19.A.1 Defense Evasion Masquerading, Remote File Copy i. Empire: File dropped to disk is a renamed copy of the WinRAR binary 19.B.1 Exfiltration Data Compressed, Data Encrypted, Masquerading i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file 19.C.1 Exfiltration Exfiltration over Alternative Protocol i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel 19.D.1 Defense Evasion File Deletion i. Empire: 'del C:\"$"Recycle.bin\old.rar' 19.D.2 Defense Evasion File Deletion i. Empire: 'del recycler.exe' Step 20: Execution of Persistence
|