Home  >  Results  >  F-Secure  >  Overview
Countercept
F-Secure
Tags:    

F-Secure Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior
  
A General Behavior alert was generated for the execution of a rare file (Resume Viewer.exe). The vendor reported that this behavior would have been prevented from executing. Screenshot is unavailable due to sensitivity of alert logic.
Telemetry
  
Telemetry showed the execution of Resume Viewer.exe as a process. 
Telemetry showing the execution of Resume Viewer.exe
Rundll32
(T1085)
General Behavior
  
A General Behavior alert was generated for an unusual call to rundll32.exe. Screenshot is unavailable due to sensitivity of alert logic.
Specific Behavior
  
A Specific Behavior alert was generated for rundll32.exe executing in a way typical for rundll32 injections. Screenshot is unavailable due to sensitivity of alert logic.
Telemetry
  
Telemetry showed rundll32.exe executing update.dat. 
Telemetry showing rundll32.exe executing update.dat
Scripting
(T1064)
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running pdfhelper.cmd) has been tagged for monitoring because its parent process has a detection (Resume Viewer.exe). Screenshot is unavailable due to sensitivity of alert logic.
Telemetry
  
Telemetry showed pdfhelper.cmd was executed by cmd.exe. 
Telemetry showing the execution of pdfhelper.cmd
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from within the Startup folder.
Telemetry showing the autoupdate.bat within the Startup folder
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure.
Data Encoding
(T1132)
Telemetry
  
Telemetry showed a trace of encoded DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
Telemetry showing rundll32 making encoded DNS queries
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed a trace of DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
Telemetry showing rundll32 making DNS queries
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing ipconfig) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched ipconfig.exe with a tag identifying the command as enumeration.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing ipconfig)
Enrichment of ipconfig.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched arp.exe indicating its usage can be a sign of reconnaissance.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe).
Enrichment of arp.exe indicating its usage can be a sign of reconnaissance
General Behavior alert showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the echo command) which was identified as extremely rare and suspicious.
Telemetry
  
Telemetry showed cmd.exe executing the echo command.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing the echo command)
Telemetry showing cmd.exe executing the echo command
A General Behavior alert showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tasklist) which was identified as extremely rare and suspicious.
Telemetry
  
Telemetry showed cmd.exe executing tasklist.exe along with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing tasklist)
Telemetry showing tasklist.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed cmd.exe executing sc with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Enrichment
  
The capability enriched systeminfo.exe indicating it could be used for reconnaissance.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
Enrichment of systeminfo.exe indicating it could be used for reconnaissance.
General Behavior alert showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched net.exe indicating it is commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched net.exe indicating it is commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched net.exe indicating it is commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe indicating it is commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched net.exe with a tag identifying the command as enumeration.
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe with a tag identifying the command as enumeration
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Enrichment
  
The capability enriched net.exe with a tag identifying the command as enumeration.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe).
Enrichment of net.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance.
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the reg) which was identified as extremely rare and suspicious.
Telemetry
  
Telemetry showed cmd.exe executing reg with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
Enrichment of reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance
General Behavior alert for rundll32.exe launching cmd.exe (executing reg)
Telemetry showing reg.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event for user Debbie with an elevated token, indicating token manipulation.
Telemetry showing svchost.exe executed with the seclogon command-line argument
Telemetry showing logon event for user Debbie with an elevated token
Bypass User Account Control
(T1088)
Enrichment
  
The capability enriched an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass.
Enrichment of an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass.
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injection.
Specific Behavior alert for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injection
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability enriched net.exe indicating that it was run with commands commonly used for reconnaissance.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed cmd.exe executing netsh.exe with command-line arguments.
Telemetry showing netsh.exe with command-line arguments
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched netstat.exe with a tag identifying the command as enumeration.
Enrichment of netstat.exe with a tag identifying the command as enumeration
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Enrichment
  
The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumping.
Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumping
Process Injection
(T1055)
Enrichment
  
The capability enriched svchost.exe injecting a thread into lsass.exe with a tag identifying thread injection.
Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying thread injection
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation.
Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe identifying that a sensitive Registry key was accessed which could be used for recon.
Telemetry
  
Telemetry showed cmd.exe executing reg with command-line arguments.
Enrichment of reg.exe identifying that a sensitive Registry key was accessed which could be used for recon
Telemetry showing reg.exe with command-line arguments
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed network connections over port 80 to 192.168.0.4 (C2 server) initiated from rundll32.exe.
Telemetry showing network connections over port 80 to 192.168.0.4 (C2 server)
Multiband Communication
(T1026)
Telemetry
  
Telemetry showed rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server) as well as earlier identified DNS queries, which could indicate multiband communication.
Telemetry showing rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server)
Telemetry showing rundll32.exe making DNS queries
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed a trace of HTTP connections being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain).
Telemetry showing rundll32 making HTTP connections
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389.
Telemetry showing rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed the creation of the new user Jesse.
Telemetry showing the creation of the new user Jesse
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lursmgr.msc
Account Discovery
(T1087)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
Telemetry showing mmc.exe running lursmgr.msc
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched the creation of updater.dll identifying that a command prompt modified an unknown DLL.
Enrichment of the creation of updater.dll identifying that a command prompt modified an unknown DLL
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task.
Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing dir) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing dir)
Enrichment of cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance.
General Behavior alert showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
General Behavior
  
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tree) which was identified as extremely rare and suspicious.
Enrichment
  
The capability enriched cmd.exe executing the tree command with a tag identifying the command as enumeration.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe).
General Behavior alert for rundll32.exe launching cmd.exe (executing tree)
Enrichment of tree.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure.
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Specific Behavior
  
A Specific Behavior alert was generated for a batch file automatically being started from the Startup folder.
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Specific Behavior alert for a batch file automatically being started from the Startup folder.
Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed rundll32.exe executing updater.dll.
Telemetry showing rundll32 starting updater.dll, tainted by an "abnormal rundll32 launch" alert
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389.
Telemetry showing a RemoteInteractive connection over port 3389 to Conficker (10.0.0.5)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a remote interactive logon event for the account Jesse logging on to Conficker (10.0.0.5) over port 3389.
Telemetry showing a RemoteInteractive connection as Jesse over port 3389 to Conficker (10.0.0.5)
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry
  
Telemetry showed wscript.exe executing autoupdate.vbs and subsequently powershell.exe.
Enrichment
  
The capability enriched wscript.exe executing powershell.exe with a tag indicating that wscript executed code.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell executing a long, encoded command.
Telemetry showing wscript.exe executing autoupdate.vbs and subsequently powershell.exe
Enrichment of wscript.exe executing powershell.exe with a tag indicating that wscript executed code
Specific Behavior alert for PowerShell executing a long, encoded command
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a network connection over port 443 to www.freegoogleadsenseinfo.com (C2 domain).
Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain)
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed powershell.exe making a connection over port 443 to freegoogleadsenseinfo.com (C2 domain). There was an alert for PowerShell downloading significant amount of data using HTTP(S), though this alert was based only on the port (443).
Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain)
An alert for PowerShell downloading a significant amount of data using HTTP(S) (does not count as a detection since it was based on port)
Standard Cryptographic Protocol
(T1032)
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched route.exe indicating that it could be used to print the routing table as part of reconnaissance.
Telemetry
  
Telemetry showed powershell.exe executing route.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Enrichment of route.exe indicating that it could be used to print the routing table as part of reconnaissance
Telemetry showing route.exe with command-line arguments
General Behavior alert showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability identified powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration.
Telemetry
  
Telemetry showed ipconfig.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Enrichment of powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration
Telemetry showing ipconfig.exe with command line arguments
General Behavior alert showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Enrichment
  
The capability enriched powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation.
Telemetry
  
Telemetry showed powershell.exe executing whoami.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Enrichment of powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation
Telemetry showing powershell.exe executing whoami.exe with command-line arguments
General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Enrichment
  
The capability enriched qprocess.exe as listing running processes and possibly a sign of reconnaissance.
Telemetry
  
Telemetry showed powershelll.exe executing qprocess.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Enrichment of qprocess.exe as listing running processes and possibly a sign of reconnaissance
Telemetry showing powershell.exe executing qprocess.exe with command-line arguments
General Behavior alert showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of user information.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AD group memberships.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of password policy information.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of recently opened files.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of interesting files.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of clipboard contents.
Indicator of Compromise
  
An Indicator of Compromise alert was generated for PowerShell Empire accessing the clipboard.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
Indicator of Compromise alert for PowerShell Empire accessing the clipboard.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of Windows update information.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of system information via a Registry query.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of services.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of available shares.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of mapped network drives.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of AV solutions.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of firewall rules.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of network adapters.
Enrichment
  
The capability enriched powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
Enrichment of powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry showed the full contents of the executed Invoke-WinEnum PowerShell function, which includes enumeration of established network connections.
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net1.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry showed powershell.exe executing netstat.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing netstat.exe with command-line arguments
General Behavior alert showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry
  
Telemetry showed powershell.exe executing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance.
Telemetry showing powershell.exe executing reg.exe with command-line arguments
Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
General Behavior
  
A General Behavior alert was generated for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent.
Telemetry
  
Telemetry showed an elevated PowerShell spawned under the context of user Bob from an unelevated parent process.
General Behavior alert for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent
Telemetry showing an elevated PowerShell being spawned under the context of user Bob from an unelevated parent process
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell downloading a significant amount of data using HTTP(S).
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass
Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S)
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass.
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
Telemetry
  
Telemetry showed powershell.exe executing the GetForegroundWindow method.
Telemetry showing powershell.exe executing the GetForegroundWindow method
Input Capture
(T1056)
Telemetry
  
Telemetry showed powershell.exe executing the GetAsyncKeyState method, indicating keylogging.
Enrichment
  
The capability enriched powershell.exe with a tag indicating .NET keylogging.
Telemetry showing powershell.exe executing the GetAsyncKeyState method
Enrichment of powershell.exe with a tag indicating .NET keylogging
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
Telemetry
  
Telemetry showed powershell.exe executing the Get-Content cmdlet on IT_tasks.txt.
Telemetry showing powershell.exe executing the Get-Content cmdlet on IT_tasks.txt
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry
  
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying.
Enrichment
  
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force). Screenshot is not available due to sensitivity of rule logic.
Telemetry showing net.exe logon attempts
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
Specific Behavior
  
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing net use logon attempts to ADMIN$ shares
Specific Behavior alerts for net.exe connecting to a remote administrative share
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments.
Specific Behavior
  
Specific Behavior alerts were generated for net.exe connecting to a remote administrative share.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing a net use logon attempt to ADMIN$ shares
Specific Behavior alerts for net.exe connecting to a remote administrative share
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Conficker (10.0.0.5).
Telemetry showing net.exe logon attempt
Telemetry showing a logon event for user Kmitnick on Conficker (10.0.0.5)
Brute Force
(T1110)
Telemetry
  
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick.
Enrichment
  
The capability enriched multiple occurrences of net.exe usage as indicative of brute forcing a remote system as well as the correct ATT&CK Technique ID (Brute Force). Screenshot is not available due to sensitivity of rule logic.
Telemetry showing net.exe logon attempt
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry
  
Telemetry showed powershell.exe executing net.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry
  
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Valid Accounts
(T1078)
Enrichment
  
The capability enriched the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement.
Telemetry
  
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. Telemetry also showed a logon event for user Kmitnick on Creeper (10.0.0.4).
Telemetry showing net.exe with command-line arguments
Telemetry showing a logon event for user Kmitnick on Creeper (10.0.0.4)
The capability enriching the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the file creation of autoupdate.vbs.
Telemetry showing the creation of autoupdate.vbs
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick
General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the file creation of update.vbs.
Telemetry showing the creation of update.vbs
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed powershell.exe executing sc.exe with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing powershell.exe executing sc.exe with command-line arguments
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry
  
Telemetry showed sc.exe execution with command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing sc.exe with command-line arguments
Specific Behavior alert for sc.exe used with parameters typical for lateral movement
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Masquerading
(T1036)
Telemetry
  
Telemetry within the process trees showed execution of sc.exe with command-line arguments to create the AdobeUpdater service with binPath pointed to cmd.exe with arguments to execute update.vbs and a suspicious service description, which could indicate masquerading.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing sc.exe with command-line arguments
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed sc.exe execution with command-line arguments.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing sc.exe with command-line arguments
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed powershell.exe executing the type command with command-line arguments.
Telemetry showing powershell.exe executing the type command with command-line arguments
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry
  
Telemetry showed sc.exe execution with command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated for sc.exe used with parameters typical for lateral movement.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing sc.exe with command-line arguments
Specific Behavior alert for sc.exe used with parameters typical for lateral movement
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed reg.exe with command-line arguments to check if terminal services were enabled.
Telemetry showing reg.exe with command-line arguments
Query Registry
(T1012)
Telemetry
  
Telemetry showed reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing reg.exe with command-line arguments
Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance
General Behavior alert showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry
  
Telemetry showed takeown.exe executing with command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated for takeown.exe changing the ownership of an accessibility feature executable.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing takeown.exe with command-line arguments
Specific Behavior alert for takeown.exe changing the ownership of an accessibility feature executable
General Behavior alert showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe).
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry
  
Telemetry showed icacls.exe executing with command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated for icalcs.exe changing the permissions of an accessibility feature executable.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing icacls.exe with command-line arguments
Specific Behavior alert for icacls.exe changing the permissions of an accessibility feature executable
General Behavior alert showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe).
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Specific Behavior
  
A Specific Behavior alert was generated for the modification of an accessibility features binary known to be used for privilege escalation.
Telemetry
  
Telemetry showed powershell.exe overwriting magnify.exe with cmd.exe via the copy command.
Enrichment
  
The capability enriched cmd.exe as being renamed to another process and with a relevant ATT&CK Technique (Masquerading). Screenshot is not available due to sensitivity of rule logic.
Specific Behavior alert for the modification of an accessibility features binary known to be used for privilege escalation
Telemetry showing powershell.exe overwriting magnify.exe with cmd.exe via the copy command
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed powershell.exe executing the Get-ChildItem command.
Telemetry showing powershell.exe executing the Get-ChildItem command
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry
  
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin as well as a file create event.
Telemetry showing the copy of the .vsdx file from the network drive to the Recycle Bin
Telemetry showing a file create event for the .vsdx file in the Recycle Bin
Data from Network Shared Drive
(T1039)
Telemetry
  
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker (10.0.0.5) to the Recycle Bin.
Telemetry showing the copy of the .vsdx file from the network drive to the Recycle Bin
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
None
  
No detection capability demonstrated for this procedure.
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed powershell.exe creating recycler.exe.
Telemetry showing the creation of recycler.exe
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry
  
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description. Telemetry also showed the creation of old.rar as the output of recycler.exe running.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing recycler.exe execution
Telemetry showing the creation of old.rar as the output of recycler.exe running
General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Data Encrypted
(T1022)
Telemetry
  
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry showing recycler.exe execution
General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Masquerading
(T1036)
Telemetry
  
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. Additionally recycler.exe was identified as WinRAR via file metadata, including executable product and description.
Telemetry showing recycler.exe metadata, which identified it as WinRAR
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Specific Behavior
  
A Specific Behavior alert was generated for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration.
Telemetry
  
Telemetry showed ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21.
A Specific Behavior alert for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration
Telemetry showing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry
  
Telemetry showed powershell.exe executing the command to delete old.rar.
Telemetry showing the deletion of old.rar
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry
  
Telemetry showed powershell.exe executing the command to delete recycler.exe.
Telemetry showing the deletion of recycler.exe
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed magnify.exe executing from utilman.exe with the original file name of cmd.exe.
General Behavior
  
A General Behavior alert was generated for magnify.exe executing as a process with a renamed executable.
Enrichment
  
The capability enriched utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor.
Telemetry showing me magnify.exe executing from utilman.exe
General Behavior alert for magnify.exe executing as a process with a renamed executable
Enrichment of utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor
Remote Desktop Protocol
(T1076)
Enrichment
  
The capability enriched a Remote Desktop connection indicating a successful login to Remote Desktop Services.
Enrichment of a Remote Desktop connection indicating a successful login to Remote Desktop Services.
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry showed whoami.exe was executed from magnify.exe.
Enrichment
  
The capability enriched whoami.exe with a tag identifying the command as enumeration.
General Behavior
  
A General Behavior alert was generated showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe).
Telemetry showing the execution of whoami
Enrichment of whoami.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)