Home  >  Results  >  McAfee  >  Overview
MVISION
McAfee
Tags:    

McAfee Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
  
Telemetry showed that Resume Viewer.exe was executed by Explorer.exe by user Debbie.
Telemetry showing that Resume Viewer.exe was executed by Explorer.exe by user Debbie
Rundll32
(T1085)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing update.dat via rundll32.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Specific Behavior
  
Specific Behavior alerts were generated based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32).
Telemetry showing cmd.exe executing update.dat via rundll32.exe
Process tree within trace detection showing rundll32.exe executing (tainted by a parent alert on Resume Viewer.exe)
Specific Behavior alerts based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed pdfhelper.cmd being executed by cmd.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Telemetry showing pdfhelper.cmd execution
Process tree within trace detection containing cmd.exe executing pdfhelper.cmd (tainted by a parent alert on Resume Viewer.exe)
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Specific Behavior
  
A Specific Behavior alert was generated for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd. The alert was tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder).
Specific Behavior alert for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd, tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure.
Data Encoding
(T1132)
None
  
No detection capability demonstrated for this procedure.
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure.
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information.
Telemetry showing cmd.exe executing ipconfig.exe (tainted by a trace detection on Resume Viewer.exe)
Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched the arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed.
Telemetry showing cmd.exe executing arp.exe (tainted by a trace detection on Resume Viewer.exe)
Enrichment of arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing the echo command. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree.
Enrichment
  
The capability enriched the cmd.exe echo command with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system.
Telemetry showing cmd.exe executing the echo command
Process tree within trace detection containing cmd.exe executing the echo command (tainted by a parent alert on Resume Viewer.exe)
Enrichment of echo command with a correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree.
Enrichment
  
The capability enriched tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes.
Process tree within trace detection containing cmd.exe executing tasklist.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree.
Enrichment
  
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
Process tree within trace detection containing cmd.exe executing the sc.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree.
Enrichment
  
The capability enriched systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried.
Process tree within trace detection containing cmd.exe executing the systeminfo.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Techniques (Permission Groups Discovery) and a suspicious indicator that information of users/groups was obtained.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net group with a correct ATT&CK Tactic (Discovery) and Technique (Permission Group Discovery) and a suspicious indicator that a net utility was used to gather information of user groups
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained.
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery).
Process tree within trace detection containing cmd.exe executing the reg.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery).
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry (Delayed)
  
 
Telemetry showed svchost.exe, with the seclogon command-line argument as well as a New Credentials logon event for user Debbie, indicating token manipulation.
Telemetry showing svchost.exe, with the seclogon command-line argument
Telemetry showing a New Credentials logon event for user Debbie
Bypass User Account Control
(T1088)
Specific Behavior
  
A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation).
Specific Behavior alert for a possible UAC bypass, tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation)
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe. The alert was tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation).
Specific Behavior alert  for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe, tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers.
Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe)
Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers.
Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe)
Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules.
Process tree within trace detection showing cmd.exe executing netsh.exe (tainted by a parent alert on cmd.exe)
Enrichment of netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered.
Process tree within trace detection showing cmd.exe executing netstat.exe (tainted by a parent alert on cmd.exe)
Enrichment of netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed a change in user execution context from Debbie to George between processes, which is indicative of token manipulation.
Telemetry showing a change in user execution context from Debbie to George between processes
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility.
General Behavior (Delayed)
  
 
A General Behavior alert was generated indicating that reg.exe command-line arguments contains signs of malicious usage such as encoded content or interacting with Registry keys.
Telemetry showing cmd.exe executing reg.exe with command-line arguments (tainted by a trace detection on cmd.exe)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility
General Behavior alert indicating that reg.exe command-line arguments contains signs of malicious usage
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain).
Enrichment
  
The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port).
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)
Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port)
Multiband Communication
(T1026)
None
  
No detection capability demonstrated for this procedure.
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed network connections over TCP port 80 and that winhttp.dll module was loaded into the same process (PID 6276) that made the network connection, which an analyst could use to determine HTTP was used.
Telemetry showing that the winhttp.dll module was loaded into the process (PID 6276) that made the network connection
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389.
Enrichment
  
The capability enriched rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol).
Telemetry showing a connection to 10.0.0.5 (Conficker) over TCP port 3389
Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed the creation of the user Jesse.
Telemetry showing creation of user account Jesse
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lusrmgr.msc
Account Discovery
(T1087)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing lusrmgr.msc running from mmc.exe
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Specific Behavior
  
A Specific Behavior alert was generated for a new PE file created in the Windows system (System32) folder.
Specific Behavior
  
A Specific Behavior alert was generated for a new dynamic library created in the Windows system (System32) folder.
Specific Behavior alert for a new PE file created in the Windows system (System32) folder
Specific Behavior alert for a new dynamic library file created in the Windows system (System32) folder
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe. The telemetry was tainted by a trace detection on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for a task being created that runs an executable (via rundll32) under system rights at Windows logon. The alert was tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task).
Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe (tainted by a trace detection on cmd.exe)
Specific Behavior alert for a task being created that runs an executable (via rundll32) under system rights at Windows logon, tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task)
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing the dir command. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery).
Telemetry showing cmd.exe executing the dir command (tainted by a trace detection on cmd.exe)
Enrichment of cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tree.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched cmd.exe executing the tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery).
Telemetry showing cmd.exe executing tree.exe (tainted by a trace detection on cmd.exe)
Enrichment of tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure, though an alert indicated cmd.exe obtained a handle to the memory thread and injected code into explorer.exe.
Alert that cmd.exe obtained a handle to the memory thread and injected code into explorer.exe (does not count as detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for code injection into explorer.exe. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and was tainted by a trace detection on cmd.exe.
Specific Behavior alert for code injection into explorer.exe, tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
Specific Behavior alert for code injection into explorer.exe (tainted by a trace detection on cmd.exe)
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder, then update.dat via rundll32.exe.
Telemetry showing cmd.exe executing autoupdate.bat then update.dat via rundll32.exe
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry showing rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule"
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5) as well as a connection to 10.0.0.5 (Conficker) over port 3389 from rundll32.exe. The telemetry was tainted by a trace detection on rundll32.exe
Enrichment
  
The capability enriched the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol).
Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5)
Telemetry showing a connection over port 3389 to Conficker (10.0.0.5) (tainted by parent alert on rundll32.exe)
Enrichment of the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed a remote interactive logon for Jesse to Conficker (10.0.0.5).
Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5)
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed wscript.exe (executing autoupdate.vbs) then spawning powershell.exe. The telemetry was tainted by a trace detection on wscript.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the VBScript interpreter launching a suspicious PowerShell process. The alert was tagged with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell execution with a very long command line. The alert was tagged with correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell).
Enrichment
  
The capability enriched wscript.exe with the correct ATT&CK Tactics (Defense Evasion, Execution) and Techniques (Scripting, PowerShell) and a suspicious indicator that the VBScript interpreter was executed.
Enrichment
  
The capability enriched powershell.exe with the correct ATT&CK Tactic (Execution) and Techniques (PowerShell) and a suspicious indicator that a PowerShell command was executed.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell commands being executed from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Execution) and Techniques (PowerShell).
Specific Behavior
  
A Specific Behavior alert was generated for decoding and running encoded scripting sources from another process (wscript.exe). The alert was tagged with correct ATT&CK Tactic (Defense Evasion, Execution) and Techniques (PowerShell).
Telemetry showing wscript.exe (executing autoupdate.vbs) then spawning powershell.exe (tainted by a parent alert on wscript.exe)
Specific Behavior alerts and enrichments for wcript.exe and powershell.exe
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a trace detection on wscript.exe.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell sending and receiving information through port 443. The alert was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port).
Enrichment
  
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port.
Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe)
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries.
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection)
Standard Cryptographic Protocol
(T1032)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over port 443 (no protocol was identified for this traffic) and an alert than indicated that powershell.exe queried registered cryptographic provider libraries.
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing route.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated.
Telemetry showing route.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ipconfig.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery).
Telemetry showing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing whoami.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched whomai.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered.
Telemetry showing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of whoami.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing qprocess.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes.
Enrichment
  
The capability enriched qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried.
Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes
Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe.
General Behavior
  
A General Behavior alert was generated for net or sc command executed through PowerShell. The alert was tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery).
Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe
General Behavior alert was generated for net or sc command executed through PowerShell, tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry
  
Telemetry showed the PowerShell script (.ps1) being written to the temp folder, indicating the execution of a PowerShell script.
Telemetry showing the PowerShell script (.ps1) being written to the temp folder
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure, though telemetry showed execution of an encoded PowerShell command. The PowerShell decoded to Windows.Clipboard(...) outside of the capability, which indicated clipboard interaction, but this was not counted as a detection because it was external to the capability.
Telemetry showing execution of an encoded PowerShell command (does not count as a detection)
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
None
  
No detection capability demonstrated for this procedure.
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe.
Telemetry showing powershell.exe executing netstat.exe (tainted by a parent alert on wscript.exe)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups.
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery).
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery).
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers.
Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on wscript.exe
Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing netstat.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched netstat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered.
Telemetry showed powershell.exe executing netstat.exe (tainted by parent alert on wscript.exe)
Enrichment of nestat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on wscript.exe.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry.
Telemetry showed powershell.exe executing reg.exe (tainted by parent alert on wscript.exe)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed an integrity level change from medium (2) to high (3) for powershell.exe, which is indicative of bypass UAC.
Specific Behavior
  
A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation).
Telemetry showing an integrity level change for powershell.exe
Specific Behavior alert for a possible UAC bypass.
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed a network connection to 192.168.0.5 (C2 server) over TCP port 8080.
Telemetry showing a network connection to 192.168.0.5 (C2 server) over TCP port 8080
Remote File Copy
(T1105)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection)
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
None
  
No detection capability demonstrated for this procedure.
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing repeated logon attempts via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
Specific Behavior
  
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
Telemetry showing powershell.exe executing repeated logon attempts via net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe. The telemetry was tainted by a trace detection on powershell.exe.
Telemetry showing powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe (tainted by a parent alert on powershell.exe)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe to ADMIN$ with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for the net utility executed to authenticate to a remote admin share with valid accounts, tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe. Telemetry also showed a login event on Conficker (10.0.0.5) for user Kmitnick.
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Telemetry showing a login event on Conficker (10.0.0.5) for user Kmitnick
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to login using the valid credentials of user Kmitnick. The telemetry was tainted by a trace detection on powershell.exe.
Specific Behavior
  
A Specific Behavior alert was generated for powershell.exe performing a potential brute force password hack via the net utility.
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the net utility removing a shared connection via PowerShell. The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal).
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for the net utility removing a shared connection via PowerShell, tagged to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the net utility executed to authenticate to a remote admin share with valid accounts. The alert was tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares).
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for the net utility removing a shared connection via PowerShell, mapped to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe. The telemetry was tainted by a trace detection on powershell.exe.
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the creation of autoupdate.vbs on Code Red (10.0.1.5).
Enrichment
  
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell.
Telemetry showing the creation of autoupdate.vbs
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.vbs as user Kmitnick.
Enrichment
  
The capability enriched wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface).
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick
Enrichment of wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the creation of update.vbs on Creeper (10.0.0.4).
Enrichment
  
The capability enriched powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell.
Telemetry showing the creation of update.vbs
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry showed that a new service was added. Telemetry also showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
Telemetry showing that a new service was added
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe with command-line arguments, to create and configure the AdobeUpdater service, that an analyst could use to determine the service is masquerading. The telemetry was tainted by a trace detection on cmd.exe.
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that the configuration of a system service was queried.
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that the configuration of a system service was queried.
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched sc.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool.
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent cmd.exe alert.
Enrichment
  
The capability enriched the powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing takeown.exe. The telemetry was tainted by a trace detection on cmd.exe..
Enrichment
  
The capability enriched takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing icacls.exe. The telemetry was tainted by a trace detection on cmd.exe..
Enrichment
  
The capability enriched icacls.exe with a suspicious indicator that full access permissions were given to certain users.
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of icacls.exe with a suspicious indicator that full access permissions were given to certain users
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed a file modification event for Magnifier.exe.
General Behavior
  
A General Behavior alert was generated for powershell.exe altering the attributes of an executable file under the Windows system folder.
Telemetry showing a file modification event for Magnifier.exe
A General Behavior alert for powershell.exe altering the attributes of an executable file under the Windows system folder
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed creation of the .vsdx file in the Recycle Bin. The telemetry was tainted by a trace detection on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell creating a file in the Recycle Bin. The alert was tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged).
Telemetry showing file creation in the Recycle Bin (tainted by parent alert on cmd.exe)
Specific Behavior alert for PowerShell creating a file in the Recycle Bin, tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged).
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure.
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
  
Telemetry showed the MD5/SHA256 hash value of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR.
Telemetry showing the MD5/SHA256 hash value of recycler.exe
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed file creation event for recycler.exe
Telemetry showing file creation event for recycler.exe
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry (Tainted)
  
 
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
Data Encrypted
(T1022)
Telemetry (Tainted)
  
 
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed the execution of recycler.exe with command-line arguments indicating it was WinRAR and file compression and encryption was used to create an encrypted archive. Telemetry also showed the creation of old.rar as the output of recycler.exe running. The telemetry was tainted by a trace detection on cmd.exe.
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol.
Telemetry showing cmd.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a trace detection on cmd.exe)
Enrichment of powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
None
  
No detection capability demonstrated for this procedure.
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed file deletion event for recycler.exe. The telemetry was tainted by a trace detection on cmd.exe.
Enrichment
  
The capability enriched PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder.
Telemetry showing file deletion event for recycler.exe (tainted by a parent alert on cmd.exe)
Enrichment of PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed magnify.exe (original name identified as cmd.exe) executing from utilman.exe. The telemetry was tainted by a trace detection on magnify.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features).
Telemetry showing magnify.exe (original name identified as cmd.exe) executing from utilman.exe (tainted by a trace detection on magnify.exe)
Specific Behavior alert for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features)
Remote Desktop Protocol
(T1076)
None
  
No detection capability demonstrated for this procedure.
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed magnify.exe (original name identified as cmd.exe) executing whoami.exe. The telemetry was tainted by a trace detection on magnify.exe.
Specific Behavior
  
A Specific Behavior alert was generated for the whoami command was executed through a masqueraded tool (magnify.exe).
Telemetry showing magnify.exe (original name identified as cmd.exe) executing whoami.exe (tainted by a trace detection on magnify.exe)
Specific Behavior alert for the whoami command was executed through a masqueraded tool (magnify.exe)







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)