|
Windows Defender ATP Defender Microsoft
Tags:
|
|
Operational Flow
The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Step 1: Initial Compromise 1.A.1 Execution User Execution, Rundll32, Scripting i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda) 1.B.1 Persistence Registry Run Keys / Startup Folder i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder 1.C.1 Command and Control Commonly Used Port, Data Encoding, Standard Application Layer Protocol i. Cobalt Strike: C2 channel established Step 2: Initial Discover 2.A.1 Discovery System Network Configuration Discovery i. Cobalt Strike: 'ipconfig /all' via cmd 2.A.2 Discovery System Network Configuration Discovery i. Cobalt Strike: 'arp -a' via cmd 2.B.1 Discovery i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables 2.C.1 Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 2.C.2 Discovery i. Cobalt Strike: 'tasklist /v' via cmd 2.D.1 Discovery i. Cobalt Strike: 'sc query' via cmd 2.D.2 Discovery i. Cobalt Strike: 'net start' via cmd 2.E.1 Discovery i. Cobalt Strike: 'systeminfo' via cmd 2.E.2 Discovery i. Cobalt Strike: 'net config workstation' via cmd 2.F.1 Discovery i. Cobalt Strike: 'net localgroup administrators' via cmd 2.F.2 Discovery i. Cobalt Strike: 'net localgroup administrators /domain' via cmd 2.F.3 Discovery i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd 2.G.1 Discovery i. Cobalt Strike: 'net user /domain' via cmd 2.G.2 Discovery i. Cobalt Strike: 'net user george /domain' via cmd 2.H.1 Discovery i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key Step 3: Privilege Escalation 3.A.1 Defense Evasion, Privilege Escalation Access Token Manipulation, Bypass User Account Control i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level 3.B.1 Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 3.C.1 Defense Evasion, Privilege Escalation i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe Step 4: Discovery for Lateral Movement 4.A.1 Discovery i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd 4.A.2 Discovery i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd 4.B.1 Discovery System Network Configuration Discovery i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd 4.C.1 Discovery System Network Connections Discovery i. Cobalt Strike: 'netstat -ano' via cmd Step 5: Credential Access 5.A.1 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in Mimikatz credential dump capability executed 5.A.2 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in hash dump capability executed 5.B.1 Defense Evasion, Privilege Escalation i. Cobalt Strike: Built-in token theft capability executed to change user context to George Step 6: Lateral Movement 6.A.1 Discovery i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5) 6.B.1 Command and Control Commonly Used Port, Multiband Communication, Standard Application Layer Protocol i. Cobalt Strike: C2 channel modified 6.C.1 Lateral Movement i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5) Step 7: Persistence 7.A.1 Persistence Create Account, Graphical User Interface, Account Discovery i. Added user Jesse to Conficker (10.0.0.5) through RDP connection 7.B.1 Command and Control, Lateral Movement i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6) 7.C.1 Execution, Persistence, Privilege Escalation i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll) Step 8: Collection 8.A.1 Discovery i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd 8.A.2 Discovery i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd 8.B.1 Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 8.C.1 Collection, Credential Access Input Capture, Application Window Discovery i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie 8.D.1 Collection Screen Capture, Process Injection i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie Step 9: Exfiltration 9.A.1 Discovery i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 9.B.1 Collection Data from Network Shared Drive, Exfiltration Over Command and Control Channel i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 10: Execution of Persistence 10.A.1 Persistence Registry Run Keys / Startup Folder i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32 10.A.2 Execution, Persistence, Privilege Escalation i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32 10.B.1 Lateral Movement Remote Desktop Protocol, Valid Accounts i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse Step 11: Initial Access 11.A.1 Defense Evasion, Execution i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed) 11.B.1 Command and Control Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol i. Empire: C2 channel established Step 12: Initial Discover 12.A.1 Discovery System Network Configuration Discovery i. Empire: 'route print' via PowerShell 12.A.2 Discovery System Network Configuration Discovery i. Empire: 'ipconfig /all' via PowerShell 12.B.1 Discovery i. Empire: 'whoami /all /fo list' via PowerShell 12.C.1 Discovery i. Empire: 'qprocess *' via PowerShell 12.D.1 Discovery i. Empire: 'net start' via PowerShell 12.E.1 Defense Evasion, Execution i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques 12.E.1.1 Discovery i. Empire: WinEnum module included enumeration of user information 12.E.1.2 Discovery i. Empire: WinEnum module included enumeration of AD group memberships 12.E.1.3 Discovery i. Empire: WinEnum module included enumeration of password policy information 12.E.1.4.1 Discovery i. Empire: WinEnum module included enumeration of recently opened files 12.E.1.4.2 Discovery i. Empire: WinEnum module included enumeration of interesting files 12.E.1.5 Collection i. Empire: WinEnum module included enumeration of clipboard contents 12.E.1.6.1 Discovery i. Empire: WinEnum module included enumeration of system information 12.E.1.6.2 Discovery i. Empire: WinEnum module included enumeration of Windows update information 12.E.1.7 Discovery i. Empire: WinEnum module included enumeration of system information via a Registry query 12.E.1.8 Discovery i. Empire: WinEnum module included enumeration of services 12.E.1.9.1 Discovery i. Empire: WinEnum module included enumeration of available shares 12.E.1.9.2 Discovery i. Empire: WinEnum module included enumeration of mapped network drives 12.E.1.10.1 Discovery i. Empire: WinEnum module included enumeration of AV solutions 12.E.1.10.2 Discovery i. Empire: WinEnum module included enumeration of firewall rules 12.E.1.11 Discovery System Network Configuration Discovery i. Empire: WinEnum module included enumeration of network adapters 12.E.1.12 Discovery System Network Connections Discovery i. Empire: WinEnum module included enumeration of established network connections 12.F.1 Discovery i. Empire: 'net group "Domain Admins" /domain' via PowerShell 12.F.2 Discovery i. Empire: 'net localgroup administrators' via PowerShell 12.G.1 Discovery i. Empire: 'net user' via PowerShell 12.G.2 Discovery i. Empire: 'net user /domain' via PowerShell Step 13: Discovery for Lateral Movement 13.A.1 Discovery i. Empire: 'net group "Domain Computers" /domain' via PowerShell 13.B.1 Discovery System Network Connections Discovery i. Empire: 'net use' via PowerShell 13.B.2 Discovery System Network Connections Discovery i. Empire: 'netstat -ano' via PowerShell 13.C.1 Discovery i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key Step 14: Privilege Escalation 14.A.1 Defense Evasion, Privilege Escalation Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass) Step 15: Credential Access 15.A.1 Discovery Application Window Discovery, Input Capture i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob 15.B.1 Credential Access i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 16: Lateral Movement 16.A.1 Credential Access Brute Force, Windows Admin Shares i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda 16.B.1 Lateral Movement Windows Admin Shares, Valid Accounts, Brute Force i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick 16.C.1 Defense Evasion Network Share Connection Removal i. Empire: 'net use /delete' via PowerShell 16.D.1 Lateral Movement Windows Admin Shares, Valid Accounts i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5) 16.E.1 Command and Control, Lateral Movement i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5) 16.F.1 Execution i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick 16.G.1 Command and Control, Lateral Movement i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4) 16.H.1 Discovery i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4) 16.I.1 Persistence, Privilege Escalation i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4) 16.J.1 Discovery i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4) 16.K.1 Discovery i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4) 16.L.1 Execution i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4) Step 17: Persistence 17.A.1 Discovery System Service Discovery, Query Registry i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services 17.B.1 Defense Evasion i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe 17.B.2 Defense Evasion i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe 17.C.1 Persistence, Privilege Escalation i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe Step 18: Collection 18.A.1 Discovery i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 18.B.1 Collection Data Staged, Data from Network Shared Drive i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5) Step 19: Exfiltration 19.A.1 Defense Evasion Masquerading, Remote File Copy i. Empire: File dropped to disk is a renamed copy of the WinRAR binary 19.B.1 Exfiltration Data Compressed, Data Encrypted, Masquerading i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file 19.C.1 Exfiltration Exfiltration Over Alternative Protocol i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel 19.D.1 Defense Evasion i. Empire: 'del C:\"$"Recycle.bin\old.rar' 19.D.2 Defense Evasion i. Empire: 'del recycler.exe' Step 20: Execution of Persistence 20.A.1 Persistence, Privilege Escalation Accessibility Features, Remote Desktop Protocol i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4) 20.B.1 Discovery i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4) |
||||||||||||||||||||||||||||||||||||||||||