MITRE ATT&CK™ EVALUATIONS

Home > Evaluations > Microsoft

Windows Defender ATP

Defender

Microsoft

Tags:

Microsoft Summary Matrix Page Information

The ATT&CK matrix is a summary of the evaluation. The cells with dark text are the techniques in scope for the evaluation. Roll over a technique for a summary of how it was tested, including the procedure name, the step of the operational flow, and the detection types associated each procedure’s detection(s).

Detection types are defined in the legend. Within the rollover, adjoining detection types are a single detection, and whitespace separates different detections.

Example: The detection below, for the procedure WinRAR has two detections. The first detection is telemetry which was tainted. The second is a specific behavior.

Vendor Configuration

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE

Legend

Main Detection Categories:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Detection Modifiers:

Tainted

Delayed

Configuration Change

Matrix Summary

Greyed out tactics are out of scope for this evaluation.

Blue linked tactics are in scope for this evaluation.

All Results JSON Legend

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control

Drive-by Compromise

AppleScript

.bash_profile and .bashrc

Access Token Manipulation

Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

Cobalt Strike: Built-in token theft capability executed to change user context to George

Access Token Manipulation

Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

Cobalt Strike: Built-in token theft capability executed to change user context to George

Account Manipulation

Account Discovery

Cobalt Strike: 'net user /domain' via cmd

Cobalt Strike: 'net user george /domain' via cmd

Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

Empire: 'net user' via PowerShell

Empire: 'net user /domain' via PowerShell

AppleScript

Audio Capture

Automated Exfiltration

Commonly Used Port

Cobalt Strike: C2 channel established using port 53

Cobalt Strike: C2 channel modified to use port 80

Empire: C2 channel established using port 443

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Exploit Public-Facing Application

CMSTP

Accessibility Features

Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

Accessibility Features

Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

BITS Jobs

Bash History

Application Window Discovery

Cobalt Strike: Keylogging capability included residual enumeration of application windows

Empire: Built-in keylogging module included residual enumeration of application windows

Application Deployment Software

Automated Collection

Data Compressed

Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Communication Through Removable Media

External Remote Services

Command-Line Interface

Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

Account Manipulation

AppCert DLLs

Binary Padding

Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

Browser Bookmark Discovery

Distributed Component Object Model

Empire: WinEnum module included enumeration of clipboard contents

Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Connection Proxy

Hardware Additions

Compiled HTML File

AppCert DLLs

AppInit DLLs

Bypass User Account Control

Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Credential Dumping

Cobalt Strike: Built-in Mimikatz credential dump capability executed

Cobalt Strike: Built-in hash dump capability executed

Domain Trust Discovery

Exploitation of Remote Services

Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Data Transfer Size Limits

Custom Command and Control Protocol

Replication Through Removable Media

Control Panel Items

AppInit DLLs

Application Shimming

CMSTP

Credentials in Files

Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

File and Directory Discovery

Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Empire: WinEnum module included enumeration of recently opened files

Empire: WinEnum module included enumeration of interesting files

Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Logon Scripts

Data from Information Repositories

Exfiltration Over Alternative Protocol

Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

Custom Cryptographic Protocol

Spearphishing Attachment

Dynamic Data Exchange

Application Shimming

Bypass User Account Control

Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Clear Command History

Credentials in Registry

Network Service Scanning

Pass the Hash

Data from Local System

Exfiltration Over Command and Control Channel

Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Spearphishing Link

Execution through APIEnabling Technique: Not directly tested

Authentication Package

DLL Search Order Hijacking

Code Signing

Exploitation for Credential Access

Network Share Discovery

Empire: WinEnum module included enumeration of available shares

Empire: WinEnum module included enumeration of mapped network drives

Pass the Ticket

Data from Network Shared Drive

Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Exfiltration Over Other Network Medium

Data Obfuscation

Spearphishing via Service

Execution through Module Load

BITS Jobs

Dylib Hijacking

Compile After Delivery

Forced Authentication

Network Sniffing

Remote Desktop Protocol

Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

Data from Removable Media

Exfiltration Over Physical Medium

Domain Fronting

Supply Chain Compromise

Exploitation for Client Execution

Bootkit

Exploitation for Privilege Escalation

Compiled HTML File

Hooking

Password Policy Discovery

Empire: WinEnum module included enumeration of password policy information

Remote File Copy

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

Email Collection

Scheduled Transfer

Domain Generation Algorithms

Trusted Relationship

Graphical User Interface

Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

Browser Extensions

Extra Window Memory Injection

Component Firmware

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Peripheral Device Discovery

Remote Services

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Fallback Channels

Valid Accounts

InstallUtil

Change Default File Association

File System Permissions Weakness

Component Object Model Hijacking

Input Prompt

Permission Groups Discovery

Cobalt Strike: 'net localgroup administrators' via cmd

Cobalt Strike: 'net localgroup administrators /domain' via cmd

Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

Empire: WinEnum module included enumeration of AD group memberships

Empire: 'net group "Domain Admins" /domain' via PowerShell

Empire: 'net localgroup administrators' via PowerShell

Replication Through Removable Media

Man in the Browser

Multi-Stage Channels

LSASS Driver

Component Firmware

Hooking

Control Panel Items

Kerberoasting

Process Discovery

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Cobalt Strike: 'tasklist /v' via cmd

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Empire: 'qprocess *' via PowerShell

SSH Hijacking

Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Multi-hop Proxy

Launchctl

Component Object Model Hijacking

Image File Execution Options Injection

DCShadow

Keychain

Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

Empire: WinEnum module included enumeration of system information via a Registry query

Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

Shared Webroot

Video Capture

Multiband Communication

Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

Local Job Scheduling

Added user Jesse to Conficker (10.0.0.5) through RDP connection

Launch Daemon

DLL Search Order Hijacking

LLMNR/NBT-NS Poisoning and Relay

Remote System Discovery

Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

Empire: 'net group "Domain Computers" /domain' via PowerShell

Taint Shared Content

Multilayer Encryption

Mshta

DLL Search Order Hijacking

Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

DLL Side-Loading

Network Sniffing

Security Software Discovery

Empire: WinEnum module included enumeration of AV solutions

Empire: WinEnum module included enumeration of firewall rules

Third-party Software

Port Knocking

PowerShellEnabling Technique: Not directly tested

Dylib Hijacking

Path Interception

Deobfuscate/Decode Files or Information

Password Filter DLL

System Information Discovery

Cobalt Strike: 'systeminfo' via cmd

Cobalt Strike: 'net config workstation' via cmd

Empire: WinEnum module included enumeration of system information

Empire: WinEnum module included enumeration of Windows update information

Windows Admin Shares

Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)

Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

Remote Access Tools

Regsvcs/Regasm

External Remote Services

Plist Modification

Disabling Security Tools

Private Keys

System Network Configuration Discovery

Cobalt Strike: 'ipconfig /all' via cmd

Cobalt Strike: 'arp -a' via cmd

Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

Empire: 'route print' via PowerShell

Empire: 'ipconfig /all' via PowerShell

Empire: WinEnum module included enumeration of network adapters

Windows Remote Management

Remote File Copy

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

Regsvr32

File System Permissions Weakness

Port Monitors

Execution Guardrails

Securityd Memory

System Network Connections Discovery

Cobalt Strike: 'netstat -ano' via cmd

Empire: WinEnum module included enumeration of established network connections

Empire: 'net use' via PowerShell

Empire: 'netstat -ano' via PowerShell

Standard Application Layer Protocol

Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

Hidden Files and Directories

Process Injection

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Cobalt Strike: Credential dump capability involved process injection into lsass

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Exploitation for Defense Evasion

Two-Factor Authentication Interception

System Owner/User Discovery

Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

Empire: 'whoami /all /fo list' via PowerShell

Empire: WinEnum module included enumeration of user information

Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)

Standard Cryptographic Protocol

Empire: Encrypted C2 channel established using HTTPS

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

Hooking

SID-History Injection

Extra Window Memory Injection

System Service Discovery

Cobalt Strike: 'sc query' via cmd

Cobalt Strike: 'net start' via cmd

Empire: 'net start' via PowerShell

Empire: WinEnum module included enumeration of services

Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Standard Non-Application Layer Protocol

Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

Hypervisor

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

Empire: 'del C:\"$"Recycle.bin\old.rar'

Empire: 'del recycler.exe'

System Time Discovery

Uncommonly Used Port

Service Execution

Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Image File Execution Options Injection

Service Registry Permissions Weakness

File Permissions Modification

Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

Virtualization/Sandbox Evasion

Web Service

Signed Binary Proxy Execution

Kernel Modules and Extensions

Setuid and Setgid

File System Logical Offsets

Signed Script Proxy Execution

LC_LOAD_DYLIB Addition

Startup Items

Gatekeeper Bypass

Source

LSASS Driver

Sudo Caching

Group Policy Modification

Space after Filename

Launch Agent

Sudo

HISTCONTROL

Third-party Software

Launch Daemon

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Hidden Files and Directories

Trap

Launchctl

Web Shell

Hidden Users

Trusted Developer Utilities

Local Job Scheduling

Hidden Window

Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Login Item

Image File Execution Options Injection

Windows Management Instrumentation

Logon Scripts

Indicator Blocking

Windows Remote Management

Modify Existing Service

Indicator Removal from Tools

XSL Script Processing

Netsh Helper DLL

Indicator Removal on Host

Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

Indirect Command Execution

Office Application Startup

Install Root Certificate

Path Interception

InstallUtil

Plist Modification

LC_MAIN Hijacking

Port Knocking

Launchctl

Port Monitors

Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

Empire: File dropped to disk is a renamed copy of the WinRAR binary

Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

Rc.common

Modify Registry

Re-opened Applications

Mshta

Redundant Access

NTFS File Attributes

Registry Run Keys / Startup Folder

Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

Network Share Connection Removal

Empire: 'net use /delete' via PowerShell

SIP and Trust Provider Hijacking

Obfuscated Files or Information

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

Plist Modification

Screensaver

Port Knocking

Security Support Provider

Process Doppelgänging

Service Registry Permissions Weakness

Process Hollowing

Setuid and Setgid

Process Injection

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Cobalt Strike: Credential dump capability involved process injection into lsass

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Shortcut Modification

Redundant Access

Startup Items

Regsvcs/Regasm

System Firmware

Regsvr32

Systemd Service

Rootkit

Time Providers

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

Trap

SIP and Trust Provider Hijacking

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

Web Shell

Signed Binary Proxy Execution

Windows Management Instrumentation Event Subscription

Signed Script Proxy Execution

Winlogon Helper DLL

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Virtualization/Sandbox Evasion

Web Service

XSL Script Processing