Home  >  Results  >  FireEye  >  Procedures: Tactics
FireEye Managed Defense
FireEye Endpoint Security
FireEye
Tags:    

Tactic Results: Discovery Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration      All Results     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Technique
Procedures Step
Detection Type Detection Notes
Screenshots
System Network Configuration Discovery
(T1016)
Cobalt Strike: 'ipconfig /all' via cmd
2.A.1
Enrichment
  
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating ipconfig.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution
Cobalt Strike: 'arp -a' via cmd
2.A.2
Enrichment
  
The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating arp.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about arp.exe execution
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
4.B.1
Enrichment
  
The capability enriched netsh.exe with an alert for Netsh Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1063 - Security Software Discovery) and the correct Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netsh was a reconnaissance command used to obtain network configuration and the configuration profile of the Windows Firewall. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netsh was used to obtain network configuration and the configuration profile of the Windows Firewall (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about netsh
Empire: 'route print' via PowerShell
12.A.1
Enrichment
  
The capability enriched route.exe with an alert for Route Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified route.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating route.exe was a reconnaissance command used (General Behavior)
Empire: 'ipconfig /all' via PowerShell
12.A.2
Enrichment
  
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified ipconfig.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating ipconfig.exe was a reconnaissance command used (General Behavior)
Empire: WinEnum module included enumeration of network adapters
12.E.1.11
None
  
No detection capability demonstrated for this procedure.
System Owner/User Discovery
(T1033)
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
2.B.1
Telemetry
  
Telemetry showed the use of echo with command-line arguments.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Telemetry showing echo with command-line arguments
Excerpt from the Managed Defense Report indicating echo was used to enumerate the current username (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about echo
Empire: 'whoami /all /fo list' via PowerShell
12.B.1
Enrichment
  
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified whoami.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating whoami.exe was a reconnaissance command used (General Behavior)
Empire: WinEnum module included enumeration of user information
12.E.1.1
None
  
No detection capability demonstrated for this procedure.
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
20.B.1
Telemetry (Tainted)
  
 
Telemetry showed whoami.exe executing from magnify.exe within an alert for Accessibility Features Child Process. The telemetry was tainted by the Accessibility Features Child Process (METHODOLOGY) alert.
Enrichment
  
The capability enriched whoami.exe with an alert for Whoami Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery).
Telemetry showing whoami.exe executing as a child process of magnify.exe (tainted by parent Accessibility Features Child Process alert)
Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)
Process Discovery
(T1057)
Cobalt Strike: 'ps' (Process status) via Win32 APIs
2.C.1
None
  
No detection capability demonstrated for this procedure.
Cobalt Strike: 'tasklist /v' via cmd
2.C.2
Enrichment
  
The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating tasklist was used to enumerate current running processes (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about tasklist
Cobalt Strike: 'ps' (Process status) via Win32 APIs
3.B.1
None
  
No detection capability demonstrated for this procedure.
Cobalt Strike: 'ps' (Process status) via Win32 APIs
8.B.1
None
  
No detection capability demonstrated for this procedure.
Empire: 'qprocess *' via PowerShell
12.C.1
Enrichment
  
The capability enriched qprocess.exe with an alert for Qprocess Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified qprocess.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating qprocess.exe was a reconnaissance command used (General Behavior)
System Service Discovery
(T1007)
Cobalt Strike: 'sc query' via cmd
2.D.1
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details from enrichment of sc.exe
Excerpt from the Managed Defense Report indicating sc was used to enumerate current running services (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about sc
Cobalt Strike: 'net start' via cmd
2.D.2
Enrichment
  
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net was used to enumerate current running services (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Empire: 'net start' via PowerShell
12.D.1
Enrichment
  
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Empire: WinEnum module included enumeration of services
12.E.1.8
None
  
No detection capability demonstrated for this procedure.
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
16.H.1
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
16.J.1
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). All five of the sc.exe events are rolled under the same SC Execution alert.
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Additional details on enrichment of sc.exe with SC Execution alert
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
17.A.1
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments to check if terminal services are enabled. The telemetry was tainted by the parent Reg Execution (Weak Signal) alert.
Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert)
System Information Discovery
(T1082)
Cobalt Strike: 'systeminfo' via cmd
2.E.1
Enrichment
  
The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating systeminfo was a reconnaissance used to obtain system details (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about systeminfo
Cobalt Strike: 'net config workstation' via cmd
2.E.2
Enrichment
  
The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net config was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
Empire: WinEnum module included enumeration of system information
12.E.1.6.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of Windows update information
12.E.1.6.2
None
  
No detection capability demonstrated for this procedure.
Permission Groups Discovery
(T1069)
Cobalt Strike: 'net localgroup administrators' via cmd
2.F.1
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Cobalt Strike: 'net localgroup administrators /domain' via cmd
2.F.2
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery)
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
2.F.3
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated the Domain Administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Empire: WinEnum module included enumeration of AD group memberships
12.E.1.2
None
  
No detection capability demonstrated for this procedure, though telemetry showed loading of an assembly associated with accessing Active Directory security principals.
Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection)
Empire: 'net group "Domain Admins" /domain' via PowerShell
12.F.1
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Empire: 'net localgroup administrators' via PowerShell
12.F.2
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Account Discovery
(T1087)
Cobalt Strike: 'net user /domain' via cmd
2.G.1
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
Cobalt Strike: 'net user George /domain' via cmd
2.G.2
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
7.A.1
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
Telemetry showing mmc.exe running lusrmgr.exe
Empire: 'net user' via PowerShell
12.G.1
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used to capture information about local users. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used to capture information about local users (General Behavior)
Empire: 'net user /domain' via PowerShell
12.G.2
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Query Registry
(T1012)
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
2.H.1
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker queried a registry key that contains system policy configurations (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about reg
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
6.A.1
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). An alert was also generated for a File Write To Named Pipe (Weak Signal) for reg.exe.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified reg.exe as a reconnaissance command to enumerate a Registry key on the host Conficker to determine the configuration of its Windows Terminal Server service. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
File Write To Named Pipe alert for write to remote named pipe from reg.exe
Additional details on named pipe alert
Excerpt from Managed Defense Report of the reg command executing a remote registry query (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about reg query
Empire: WinEnum module included enumeration of system information via a Registry query
12.E.1.7
None
  
No detection capability demonstrated for this procedure.
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
13.C.1
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified reg.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating reg.exe was a reconnaissance command used (General Behavior)
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
17.A.1
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
Remote System Discovery
(T1018)
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
4.A.1
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net group
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
4.A.2
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net group
Empire: 'net group "Domain Computers" /domain' via PowerShell
13.A.1
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1018 - Remote System Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
System Network Connections Discovery
(T1049)
Cobalt Strike: 'netstat -ano' via cmd
4.C.1
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netstat was a reconnaissance command used to enumerate active and listening network ports. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about netstat
Empire: WinEnum module included enumeration of established network connections
12.E.1.12
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connection Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
Empire: 'net use' via PowerShell
13.B.1
Enrichment
  
The capability enriched net.exe with an alert for Net Use Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Empire: 'netstat -ano' via PowerShell
13.B.2
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified netstat.exe as a reconnaissance command used. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
File and Directory Discovery
(T1083)
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
8.A.1
Enrichment
  
The capability enriched cmd.exe executing dir with an alert for Dir Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery)
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
8.A.2
Enrichment
  
The capability enriched cmd.exe executing tree with an alert for Tree Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker performed a directory listing of the contents of Debbie's user profile directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and Tactic, Discovery)
Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior)
Excerpt from Managed Defense Report showing additional details about tree
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
9.A.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of recently opened files
12.E.1.4.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of interesting files
12.E.1.4.2
None
  
No detection capability demonstrated for this procedure.
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
16.K.1
None
  
No detection capability identified for this procedure.
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
18.A.1
None
  
No detection capability demonstrated for this procedure.
Application Window Discovery
(T1010)
Cobalt Strike: Keylogging capability included residual enumeration of application windows
8.C.1
None
  
No detection capability demonstrated for this procedure.
Empire: Built-in keylogging module included residual enumeration of application windows
15.A.1
None
  
No detection capability demonstrated for this procedure.
Security Software Discovery
(T1063)
Empire: WinEnum module included enumeration of AV solutions
12.E.1.10.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of firewall rules
12.E.1.10.2
None
  
No detection capability demonstrated for this procedure.
Password Policy Discovery
(T1201)
Empire: WinEnum module included enumeration of password policy information
12.E.1.3
None
  
No detection capability demonstrated for this procedure.
Network Share Discovery
(T1135)
Empire: WinEnum module included enumeration of available shares
12.E.1.9.1
None
  
No detection capability demonstrated for this procedure.
Empire: WinEnum module included enumeration of mapped network drives
12.E.1.9.2
None
  
No detection capability demonstrated for this procedure.







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)