Home  >  Evaluations  >  Endgame  >  Procedures: Tactics
Endgame
Tags:    

Tactic Results: Discovery Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Vendor Configuration      All Results JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Technique
Procedures Step
Detection Type Detection Notes
Screenshots
System Network Configuration Discovery
(T1016)
Cobalt Strike: 'ipconfig /all' via cmd
2.A.1
General Behavior (Tainted)
  
 
A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection.
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Unusual Child Processes of RunDLL32 General Behavior alert caused by ipconfig.exe (tainted by parent Malicious File Detection)
Telemetry showing ipconfig.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'arp -a' via cmd
2.A.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing arp.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
4.B.1
Telemetry
  
Telemetry showed the process creation of netsh with command-line arguments.
Telemetry from event tree showing netsh with command-line arguments
Empire: 'route print' via PowerShell
12.A.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing route.exe with command-line arguments (tainted by parent PowerShell alerts).
Event tree view of telemetry showing route.exe with command-line arguments (tainted by parent PowerShell alerts)
Telemetry showing route.exe with command-line arguments
Empire: 'ipconfig /all' via PowerShell
12.A.2
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts).
Event tree view of telemetry showing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts)
Telemetry showing ipconfig.exe with command-line arguments
Empire: WinEnum module included enumeration of network adapters
12.E.1.11
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Network Adapters function (does not count as a detection due to manual process of pulling events)
System Owner/User Discovery
(T1033)
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
2.B.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing echo with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Empire: 'whoami /all /fo list' via PowerShell
12.B.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing whoami.exe with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry showing whoami.exe with command-line arguments
Enriched event tree showing enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Empire: WinEnum module included enumeration of user information
12.E.1.1
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-UserInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Get-UserInfo function (does not count as a detection due to manual process of pulling events)
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
20.B.1
Telemetry (Tainted)
  
 
Telemetry showed whoami.exe was executed from magnify.exe. The telemetry was tainted by an alert on Windows File Name Mismatch-Accessibility Features. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched whoami.exe with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery). The enrichment was tainted by an alert on Windows File Name Mismatch-Accessibility Features. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing execution of whoami.exe (tainted by parent alert on magnify.exe)
Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry)
Process Discovery
(T1057)
Cobalt Strike: 'ps' (Process status) via Win32 APIs
2.C.1
None
  
No detection capability demonstrated for this procedure.
Cobalt Strike: 'tasklist /v' via cmd
2.C.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing tasklist.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'ps' (Process status) via Win32 APIs
3.B.1
None
  
No detection capability demonstrated for this procedure.
Cobalt Strike: 'ps' (Process status) via Win32 APIs
8.B.1
None
  
No detection capability demonstrated for this procedure.
Empire: 'qprocess *' via PowerShell
12.C.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts).
Event tree view of telemetry showing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts)
System Service Discovery
(T1007)
Cobalt Strike: 'sc query' via cmd
2.D.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing sc.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'net start' via cmd
2.D.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Empire: 'net start' via PowerShell
12.D.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry showing net.exe with command-line arguments
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Empire: WinEnum module included enumeration of services
12.E.1.8
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Services was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Services function (does not count as a detection due to manual process of pulling events)
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
16.H.1
Telemetry (Tainted)
  
 
Telemetry showed sc.exe execution to query services on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry showing sc.exe execution to query services on Creeper
Enrichment of sc.exe execution to query services on Creeper with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
16.J.1
Telemetry (Tainted)
  
 
Telemetry showed sc.exe execution to query the AdobeUpdater service on Creeper. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.  Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched sc.exe with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.   Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
17.A.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. Telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts.
Telemetry from event tree showing reg.exe
Event tree view showing tainted powershell.exe with reg.exe child process
System Information Discovery
(T1082)
Cobalt Strike: 'systeminfo' via cmd
2.E.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing systeminfo.exe (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'net config workstation' via cmd
2.E.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Empire: WinEnum module included enumeration of system information
12.E.1.6.1
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)
Empire: WinEnum module included enumeration of Windows update information
12.E.1.6.2
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Windows Last Updated was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Permission Groups Discovery
(T1069)
Cobalt Strike: 'net localgroup administrators' via cmd
2.F.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'net localgroup administrators /domain' via cmd
2.F.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
2.F.3
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Empire: WinEnum module included enumeration of AD group memberships
12.E.1.2
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AD Group Memberships was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the AD Group Memberships function (does not count as a detection due to manual process of pulling events)
Empire: 'net group "Domain Admins" /domain' via PowerShell
12.F.1
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Tainted)
  
 
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). 
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Enrichment on net group by Enumeration of Administrator Accounts alert (mapped to correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic (Discovery)
Empire: 'net localgroup administrators' via PowerShell
12.F.2
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Tainted)
  
 
An alert for Enumeration of Administrator Account provided enrichment to the net group command (tainted by parent PowerShell alerts). 
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry). The tree also shows Enumeration of Administrator Accounts alert.
Account Discovery
(T1087)
Cobalt Strike: 'net user /domain' via cmd
2.G.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'net user george /domain' via cmd
2.G.2
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
7.A.1
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc
Empire: 'net user' via PowerShell
12.G.1
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing net.exe with command-line arguments (tainted by parent PowerShell alert)
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts)
Empire: 'net user /domain' via PowerShell
12.G.2
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by parent PowerShell alerts). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched the event with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Query Registry
(T1012)
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
2.H.1
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Delayed, Tainted, Configuration Change)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Telemetry showing reg.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
6.A.1
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Process Injection alert.
Telemetry showing reg with command-line arguments
Event tree view of telemetry showing reg with command-line arguments (tainted by parent Process Injection alert)
Empire: WinEnum module included enumeration of system information via a Registry query
12.E.1.7
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Get-SysInfo was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
13.C.1
Telemetry (Tainted)
  
 
Telemetry showed execution of reg.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
17.A.1
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Event tree view showing tainted powershell.exe with reg.exe child process
Remote System Discovery
(T1018)
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
4.A.1
Telemetry
  
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing net with command-line arguments
Enriched event tree showing enrichment of net with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
4.A.2
Telemetry
  
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing net with command-line arguments
Enriched event tree showing enrichment of net group command mapped to related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)
Empire: 'net group "Domain Computers" /domain' via PowerShell
13.A.1
Telemetry (Tainted)
  
 
Telemetry showed net.exe executing with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing with net.exe with command-line arguments (tainted by parent alert)
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) (tainted by parent alert)
System Network Connections Discovery
(T1049)
Cobalt Strike: 'netstat -ano' via cmd
4.C.1
Telemetry
  
Telemetry showed the process creation of netstat with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the netstat command with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and  Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Telemetry from event tree showing netstat with command-line arguments
Additional UI view of telemetry (showing the netstat command in this instance)
Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery)
Empire: WinEnum module included enumeration of established network connections
12.E.1.12
Telemetry (Tainted)
  
 
An event tree from the suspicious PowerShell process showed a netstat subprocess that was created by WinEnum (tainted by parent PowerShell alerts). Though it does not count as part of the detection, the Interactive Shell could also be used to analyze the PowerShell execution and WinEnum Get-NetInfo-Network Adapters was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched netstat.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery). The enrichment was tainted by parent PowerShell alerts. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Event tree showing telemetry of netstat subprocess associated with WinEnum (tainted by parent PowerShell alerts)
Interactive Shell events showing the WinEnum script and the Netstat Established Connections and Processes function (does not count as a detection due to manual process of pulling events)
Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Empire: 'net use' via PowerShell
13.B.1
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was triggered for enumerating Windows network admin shares as part of Discovery (tainted by parent alert).
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched net.exe with the correct ATT&CK Technique (T1049 - System Network Connections Discovery), a related ATT&CK Technique (Remote System Discovery), and the correct Tactic (Discovery). The enrichment was tainted by a parent alert. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Specific Behavior alert for Discovery via network file share enumeration (tainted by parent alert)
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery), related ATT&CK Technique (Remote System Discovery), and correct Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)
Empire: 'netstat -ano' via PowerShell
13.B.2
Telemetry (Tainted)
  
 
Telemetry showed execution of netstat.exe with command-line arguments (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched netstat.exe data with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)
File and Directory Discovery
(T1083)
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
8.A.1
Telemetry (Tainted)
  
 
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing dir with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.  
Enriched event tree showing enrichment of dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
8.A.2
Telemetry (Tainted)
  
 
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing tree with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
9.A.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of recently opened files
12.E.1.4.1
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Last 5 files opened was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Last 5 files opened function (does not count as a detection due to manual process of pulling events)
Empire: WinEnum module included enumeration of interesting files
12.E.1.4.2
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Interesting Files was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Interesting Files function (does not count as a detection due to manual process of pulling events)
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
16.K.1
None
  
No detection capability demonstrated for this procedure.
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
18.A.1
None
  
No detection capability demonstrated for this procedure.
Application Window Discovery
(T1010)
Cobalt Strike: Keylogging capability included residual enumeration of application windows
8.C.1
None
  
No detection capability demonstrated for this procedure.
Empire: Built-in keylogging module included residual enumeration of application windows
15.A.1
None
  
No detection capability demonstrated for this procedure.
Password Policy Discovery
(T1201)
Empire: WinEnum module included enumeration of password policy information
12.E.1.3
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Password Last changed was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Password Last Changed function (does not count as a detection due to manual process of pulling events)
Network Share Discovery
(T1135)
Empire: WinEnum module included enumeration of available shares
12.E.1.9.1
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Available Shares was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Available Shares function (does not count as a detection due to manual process of pulling events)
Empire: WinEnum module included enumeration of mapped network drives
12.E.1.9.2
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Mapped Network Drives was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Mapped Network Drives function (does not count as a detection due to manual process of pulling events)
Security Software Discovery
(T1063)
Empire: WinEnum module included enumeration of AV solutions
12.E.1.10.1
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum AV Solution was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the AV Solution function (does not count as a detection due to manual process of pulling events)
Empire: WinEnum module included enumeration of firewall rules
12.E.1.10.2
None
  
No detection capability demonstrated for this procedure, though the Interactive Shell was used to analyze the PowerShell execution and WinEnum Firewall Rules was observed. Interactive Shell was not by itself considered telemetry, but the analyst can retrieve additional Windows Logs to enhance baseline Endgame functionality.
Interactive Shell events showing the WinEnum script and the Firewall Rules function (does not count as a detection due to manual process of pulling events)


Operational Flow

The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical user Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permissions Group Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permissions Group Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Querying the Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts , Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)