Home  >  Evaluations  >  Endgame  >  Procedures: Tactics
Endgame
Tags:    

Tactic Results: Defense Evasion Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Vendor Configuration      All Results JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Technique
Procedures Step
Detection Type Detection Notes
Screenshots
Scripting
(T1064)
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
1.A.1
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert.
Telemetry showing pdfhelper.cmd spawned as a child process of Resume Viewer.exe (tainted by parent Malicious File Detection alert)
Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert)
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
11.A.1
Specific Behavior
  
A Specific Behavior alert was generated indicating that powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution).
Telemetry (Tainted)
  
 
Telemetry showed the process events associated with wscript.exe executing the autoupdate.vbs script (tainted by parent alert).
Specific Behavior
  
A Specific Behavior alert was generated for "Windows Script Executing PowerShell" due to wscript.exe launching powershell.exe. The alert was mapped to the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution).
Specific Behavior alert for powershell.exe also showing telemetry for script execution (mapped to related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)
Specific Behavior alert for wscript.exe launching powershell.exe (mapped to the correct ATT&CK Technique, T1064 - Scripting, and Tactic, Execution)
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
12.E.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for "PowerShell with Unusual Arguments" that coincided with the execution of WinEnum (tainted by parent PowerShell alerts). The alert also identified a related ATT&CK Technique (T1086 - PowerShell) and Tactic (Execution). From the alert, the Interactive Shell was used to analyze the PowerShell script and the function Invoke-WinEnum was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Telemetry (Tainted)
  
 
Telemetry showed the creation of the PowerShell Process (tainted by parent PowerShell alerts).
Specific Behavior alert for "PowerShell with Unusual Arguments" (tagged with correct ATT&CK Technique, T1086 - PowerShell, and Tactic, Execution; tainted by parent PowerShell alerts)
Telemetry pulled by Interactive Shell showing the contents of the WinEnum script (does not count as a detection)
Telemetry showing powershell.exe execution (ID 2397532) (tainted by parent PowerShell alerts)
Rundll32
(T1085)
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
1.A.1
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert. 
Telemetry showing rundll32.exe running update.dat execution event
Event tree view showing the Malicious File Detection alert tainting rundll32.exe telemetry
Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry  (tagged with correct ATT&CK Technique, T1085 - Rundll32 and Tactics, Defense Evasion, Execution; tainted by parent Malicious File Detection alert)
Access Token Manipulation
(T1134)
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
3.A.1
Telemetry
  
Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.  
Telemetry showing svhost.exe seclogon event for token login id 0x5f997f7 (100243447)
Telemetry showing powershell.exe spawned with token authentication id 100243447
Cobalt Strike: Built-in token theft capability executed to change user context to George
5.B.1
Specific Behavior
  
A Specific Behavior alert was generated for Privilege Escalation based on rundll32.exe as Debbie, spawning the process cmd.exe as George, which indicated a possible stolen token. The alert was mapped to the correct ATT&CK Technique (T1134 - Access Token Manipulation) and Tactics (Privilege Escalation, Defense Evasion).
Telemetry (Tainted)
  
 
Telemetry showed the users change in the parent-child processes of rundll32.exe and cmd.exe (tainted by the Privilege Escalation alert).
Specific Behavior alert on Privilege Escalation showing a process spawning (cmd.exe) with different tokens than the parent (rundll32.exe) (mapped to the correct ATT&CK Technique, T1134 - Access Token Manipulation, and Tactics, Privilege Escalation and Defense Evasion)
Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege Escalation alert)
Bypass User Account Control
(T1088)
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
3.A.1
Telemetry
  
Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.  
Telemetry showing authentication (logon) ID mismatch between parent and child processes
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
14.A.1
Telemetry
  
Telemetry showed a mismatch between the logon id (authentication id) of parent (powershell.exe - 312288) and child (powershell.exe - 10184789) processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC.
Telemetry showing authentication (logon) ID mismatch between parent and child processes
Telemetry showing svhost.exe seclogon event for token login id 0x9b6855 (10184789), used by the spawned powershell.exe
Process Injection
(T1055)
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
3.C.1
Specific Behavior
  
A Specific Behavior alert was generated for process injection into cmd.exe.
Specific Behavior alert for process injection into cmd.exe
Cobalt Strike: Credential dump capability involved process injection into lsass
5.A.1
Telemetry
  
Telemetry showed privileged accesses (PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION) into lsass.exe.
Telemetry showing process accesses into lsass.exe
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
5.A.2
Telemetry (Tainted)
  
 
Telemetry showed multiple privileged accesses (including PROCESS_CREATE_THREAD) into lsass, indicative of Process Injection (tainted by the Process Injection alert).
Specific Behavior
  
A Specific Behavior alert was generated for the correct ATT&CK Technique (Process Injection).
Telemetry showing process injection into lsass.exe (tainted by parent Process Injection alert)
Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection)
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
8.D.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert for process injection was generated with cmd.exe as the source. The alert was tainted by parent Malicious File Detection and process injection alerts, and was also labeled with the correct ATT&CK Technique (T1055 - Process Injection) and Tactics (Defense Evasion and Execution).
Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious File Detection and process injection alerts and labeled with the correct ATT&CK Technique, Process Injection, and Tactics, Defense Evasion and Execution)
Valid Accounts
(T1078)
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
10.B.1
Telemetry (Tainted)
  
 
Telemetry showed that the userinit.exe process was running as the user Jesse, indicating Jesse logged in. The telemetry was tainted by the parent "Start Folder Persistence" alert.
Telemetry showing userinit.exe running as Jesse (tainted by parent "Start Folder Persistence" alert)
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
16.B.1
Enrichment (Tainted)
  
 
The capability enriched the net.exe connection using valid credentials for Kmitnick with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert).
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment of successful net.exe connection (tainted by parent PowerShell alert)
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
16.D.1
Enrichment (Tainted)
  
 
The capability enriched the net.exe connection (using valid credentials for Kmitnick) with a tag titled Lateral Movement via "Mounting Hidden Shares" (tainted by parent PowerShell alert).
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials for user Kmitnick (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe connection events with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment of successful net.exe connection (tainted by parent PowerShell alert)
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Network Share Connection Removal
(T1126)
Empire: 'net use /delete' via PowerShell
16.C.1
Telemetry (Tainted)
  
 
Telemetry showed a event tree containing net.exe and command-line arguments (tainted by parent PowerShell alert).
Telemetry showing event tree containing net.exe and command-line argument (tainted by parent PowerShell alert)
Masquerading
(T1036)
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
16.I.1
Telemetry (Tainted)
  
 
Telemetry showed sc.exe executions to create the AdobeUpdater service and set the binPath to run cmd.exe with an argument to execute update.vbs as well as set the description of the service. An analyst could use this information to determine masquerading occurred. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
Telemetry of sc.exe executions to create and set the description of a new service on Creeper (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts)
Empire: File dropped to disk is a renamed copy of the WinRAR binary
19.A.1
None
  
No detection capability demonstrated for this procedure. Telemetry later identified recycler.exe as WinRAR during execution, no detections identified it as WinRAR upon file copy.
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
19.B.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated on execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar". The alert was tainted by parent Windows Script Executing PowerShell alert.
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by parent Windows Script Executing PowerShell alert.
Specific Behavior alert for the execution of recycler.exe named "Exfiltration-Encrypting Files with WinRar" (tainted by Windows Script Executing PowerShell alert)
Telemetry showing execution of recycler.exe with command-line arguments and creation of old.rar output (tainted by Windows Script Executing PowerShell alert)
File Permissions Modification
(T1222)
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
17.B.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing takeown.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
Telemetry from event tree showing takeown.exe (tainted by parent alerts on powershell.exe)
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
17.B.2
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing icacls.exe with command-line arguments. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
Telemetry from event tree showing icacls.exe (tainted by parent alerts on powershell.exe)
File Deletion
(T1107)
Empire: 'del C:\"$"Recycle.bin\old.rar'
19.D.1
None
  
No detection capability demonstrated for this procedure, though there was telemetry to show the creation of old.rar. A host query for the file showed the old.rar no longer exists, but no deletion event was seen.
Empire: 'del recycler.exe'
19.D.2
Telemetry
  
Telemetry showed a deletion event for recycler.exe caused by powershell.exe.
Telemetry showing file deletion of recycler.exe


Operational Flow

The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical user Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permissions Group Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permissions Group Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Querying the Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts , Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)