|
Legend
|
|
|
Main Detection Categories:
|
Detection Modifiers:
|
None
Telemetry
Indicator of Compromise
General Behavior
Specific Behavior
Enrichment
|
Tainted
Delayed
Configuration Change
|
|
|
|
Cobalt Strike: 'ipconfig /all' via cmd
|
|
|
| Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). | |
| The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
General Behavior (Tainted) |
| A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'arp -a' via cmd
|
|
|
| Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). | |
| The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
|
|
|
| Telemetry showed cmd.exe executing netsh with command-line arguments. | |
| The capability enriched netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). | |
|
|
Empire: 'route print' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). | |
|
|
Empire: 'ipconfig /all' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). | |
|
|
Empire: WinEnum module included enumeration of network adapters
|
|
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire NetInfo. | |
|
|
|
|
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
|
|
|
| Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery). | |
|
|
Empire: 'whoami /all /fo list' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
|
|
Empire: WinEnum module included enumeration of user information
|
|
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire UserInfo. | |
|
|
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
|
|
|
| Telemetry showed magnify.exe executing whoami.exe. | |
| The capability enriched whoami.exe executing as an enumeration command. | |
|
|
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'tasklist /v' via cmd
|
|
|
| Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery). | |
| The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
| The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Empire: 'qprocess *' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched the execution of qprocess.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert on wscript.exe. | |
| The capability enriched qprocess.exe executing with a related ATT&CK Technique (System Service Discovery). | |
|
|
|
|
Cobalt Strike: 'sc query' via cmd
|
|
|
| Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'net start' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Empire: 'net start' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched net.exe executing as the execution of an enumeration command. The data was tainted by a parent alert on wscript.exe. | |
General Behavior (Tainted) |
| A General Behavior alert was generated for net.exe executing as an enumeration command called by a commonly abused causality group owner (CGO, wscipt.exe). The data was tainted by a parent alert on wscript.exe. | |
|
|
Empire: WinEnum module included enumeration of services
|
|
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). | |
|
|
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
|
|
|
| Telemetry showed powershell.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
General Behavior (Tainted) |
| A General Behavior alert was generated for the sc utility be used to perform actions of remote services. The alert was tainted by a parent alert on wscript.exe. | |
| The capability enriched sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). | |
|
|
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
|
|
|
| Telemetry showed powershell.exe executing sc.exe with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched powershell.exe executing sc.exe as enumeration of services via the command line. The data was tainted by a parent alert on wscript.exe. | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
|
|
|
| Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on cmd.exe. | |
| The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe. | |
| The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). | |
|
|
|
|
Cobalt Strike: 'systeminfo' via cmd
|
|
|
| Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery). | |
| The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'net config workstation' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery). | |
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Empire: WinEnum module included enumeration of system information
|
|
|
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo. | |
|
|
Empire: WinEnum module included enumeration of Windows update information
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Cobalt Strike: 'net localgroup administrators' via cmd
|
|
|
| The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). | |
|
|
Cobalt Strike: 'net localgroup administrators /domain' via cmd
|
|
|
| The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). | |
|
|
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Empire: WinEnum module included enumeration of AD group memberships
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: 'net group "Domain Admins" /domain' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe. | |
| The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe. | |
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery). | |
|
|
Empire: 'net localgroup administrators' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert on wscript.exe. | |
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery). | |
|
|
|
|
Cobalt Strike: 'net user /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'net user George /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery). | |
| The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
|
|
|
|
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in). | |
| The capability enriched mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in) as reconnaissance via the MMC utility with local users and groups view. | |
|
|
Empire: 'net user' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery). | |
|
|
Empire: 'net user /domain' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery). | |
|
|
|
|
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
|
|
|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry). | |
|
|
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
|
|
|
| Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent process injection alert on cmd.exe. | |
| The capability enriched the execution of reg.exe as querying a remote key. The data was tainted by a parent process injection alert on cmd.exe. | |
| The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry). | |
|
|
Empire: WinEnum module included enumeration of system information via a Registry query
|
|
|
| The capability enriched the enumeration of system information via a Registry query as suspicious. The data was tainted by a parent alert on wscript.exe. | |
| An Indicator of Compromise alert was generated identifying suspicious PowerShell strings as Empire SysImfo. | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
|
|
|
| Telemetry showed powershell.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry). | |
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
|
|
|
| Telemetry showed powershell.exe executing reg with command-line arguments to check if terminal services were enabled. The telemetry was tainted by a parent alert on cmd.exe. | |
| The capability enriched reg.exe executing with command-line arguments as the terminal server key queried by the reg utility. The data was tainted by a parent alert on cmd.exe. | |
| The capability enriched reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery). | |
|
|
|
|
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command. | |
| The capability enriched cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery). | |
|
|
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
|
|
|
| Telemetry showed cmd.exe executing net with command-line arguments. | |
| The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1. | |
|
|
Empire: 'net group "Domain Computers" /domain' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
| The capability enriched the execution of net.exe and net1.exe as an enumeration command. The data was tainted by a parent alert on wscript.exe. | |
|
|
|
|
Cobalt Strike: 'netstat -ano' via cmd
|
|
|
| Telemetry showed cmd.exe executing netsh with command-line arguments. | |
| The capability enriched netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery). | |
|
|
Empire: WinEnum module included enumeration of established network connections
|
|
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery). | |
|
|
Empire: 'net use' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing net with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
|
|
Empire: 'netstat -ano' via PowerShell
|
|
|
| Telemetry showed powershell.exe executing netstat with command-line arguments. The telemetry was tainted by a parent alert on wscript.exe. | |
|
|
|
|
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
|
|
|
| Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched cmd.exe executing dir with command-line arguments as the execution of the dir command on a network location. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
|
|
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
|
|
|
| Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. | |
| The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery). | |
|
|
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: WinEnum module included enumeration of recently opened files
|
|
|
| The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery). | |
|
|
Empire: WinEnum module included enumeration of interesting files
|
|
|
| The capability enriched powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery). | |
|
|
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
|
|
|
| Telemetry showed a file read event for update.vbs. The telemetry was tainted by a parent alert on wscript.exe | |
|
|
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
| Telemetry showed an event with the execution of the Get-ChildItem command. The telemetry was tainted by a parent alert on wscript.exe. | |
|
|
|
|
Cobalt Strike: Keylogging capability included residual enumeration of application windows
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
Empire: Built-in keylogging module included residual enumeration of application windows
|
|
|
| Telemetry showed the decoded PowerShell script, which includes the API call GetForegroundWindow to enumerate the active window. | |
| An Indicator of Compromise alert was generated identifying a PowerShell Empire script logging keys pressed, time, and the active window. | |
|
|
|
|
Empire: WinEnum module included enumeration of password policy information
|
|
|
| No detection capability demonstrated for this procedure. | |
|
|
|
|
Empire: WinEnum module included enumeration of available shares
|
|
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery). | |
|
|
Empire: WinEnum module included enumeration of mapped network drives
|
|
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery). | |
|
|
|
|
Empire: WinEnum module included enumeration of AV solutions
|
|
|
| Telemetry showed an event log for the WMI query of the system AV products. | |
|
|
Empire: WinEnum module included enumeration of firewall rules
|
|
|
| The capability enriched powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery). | |
|
|
|
|
Operational Flow
Step 1: Initial Compromise 1.A.1 Execution User Execution, Rundll32, Scripting i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda) 1.B.1 Persistence Registry Run Keys / Startup Folder i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder 1.C.1 Command and Control Commonly Used Port, Data Encoding, Standard Application Layer Protocol i. Cobalt Strike: C2 channel established Step 2: Initial Discover 2.C.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 2.G.2 Discovery Account Discovery i. Cobalt Strike: 'net user george /domain' via cmd 2.H.1 Discovery Query Registry i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key Step 3: Privilege Escalation 3.A.1 Defense Evasion, Privilege Escalation Access Token Manipulation, Bypass User Account Control i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level 3.B.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 3.C.1 Defense Evasion, Privilege Escalation Process Injection i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe Step 4: Discovery for Lateral Movement Step 5: Credential Access 5.A.1 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in Mimikatz credential dump capability executed 5.A.2 Credential Access Credential Dumping, Process Injection i. Cobalt Strike: Built-in hash dump capability executed 5.B.1 Defense Evasion, Privilege Escalation Access Token Manipulation i. Cobalt Strike: Built-in token theft capability executed to change user context to George Step 6: Lateral Movement 6.A.1 Discovery Query Registry i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5) 6.B.1 Command and Control Commonly Used Port, Multiband Communication, Standard Application Layer Protocol i. Cobalt Strike: C2 channel modified 6.C.1 Lateral Movement Remote Desktop Protocol i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5) Step 7: Persistence 7.B.1 Command and Control, Lateral Movement Remote File Copy i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6) 7.C.1 Execution, Persistence, Privilege Escalation Scheduled Task i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll) Step 8: Collection 8.B.1 Discovery Process Discovery i. Cobalt Strike: 'ps' (Process status) via Win32 APIs 8.D.1 Collection Screen Capture, Process Injection i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie Step 9: Exfiltration 9.A.1 Discovery File and Directory Discovery i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 9.B.1 Collection Data from Network Shared Drive, Exfiltration Over Command and Control Channel i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 10: Execution of Persistence 10.A.1 Persistence Registry Run Keys / Startup Folder i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32 10.A.2 Execution, Persistence, Privilege Escalation Scheduled Task i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32 10.B.1 Lateral Movement Remote Desktop Protocol, Valid Accounts i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse Step 11: Initial Access 11.A.1 Defense Evasion, Execution Scripting i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed) 11.B.1 Command and Control Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol i. Empire: C2 channel established Step 12: Initial Discover 12.E.1 Defense Evasion, Execution Scripting i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques 12.E.1.5 Collection Clipboard Data i. Empire: WinEnum module included enumeration of clipboard contents 12.E.1.7 Discovery Query Registry i. Empire: WinEnum module included enumeration of system information via a Registry query 12.E.1.9.2 Discovery Network Share Discovery i. Empire: WinEnum module included enumeration of mapped network drives Step 13: Discovery for Lateral Movement 13.C.1 Discovery Query Registry i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key Step 14: Privilege Escalation 14.A.1 Defense Evasion, Privilege Escalation Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol i. Empire: UAC bypass module downloaded and executed a new Empire stager (wdbypass) Step 15: Credential Access 15.B.1 Credential Access Credentials in Files i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5) Step 16: Lateral Movement 16.A.1 Credential Access Brute Force, Windows Admin Shares i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda 16.B.1 Lateral Movement Windows Admin Shares, Valid Accounts, Brute Force i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick 16.C.1 Defense Evasion Network Share Connection Removal i. Empire: 'net use /delete' via PowerShell 16.D.1 Lateral Movement Windows Admin Shares, Valid Accounts i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5) 16.E.1 Command and Control, Lateral Movement Remote File Copy i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5) 16.F.1 Execution Command-Line Interface i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick 16.G.1 Command and Control, Lateral Movement Remote File Copy i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4) 16.H.1 Discovery System Service Discovery i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4) 16.I.1 Persistence, Privilege Escalation New Service, Masquerading i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4) 16.J.1 Discovery System Service Discovery i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4) 16.K.1 Discovery File and Directory Discovery i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4) 16.L.1 Execution Service Execution i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4) Step 17: Persistence 17.B.1 Defense Evasion File Permissions Modification i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe 17.B.2 Defense Evasion File Permissions Modification i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe 17.C.1 Persistence, Privilege Escalation Accessibility Features i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe Step 18: Collection 18.A.1 Discovery File and Directory Discovery i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) 18.B.1 Collection Data Staged, Data from Network Shared Drive i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5) Step 19: Exfiltration 19.A.1 Defense Evasion Masquerading, Remote File Copy i. Empire: File dropped to disk is a renamed copy of the WinRAR binary 19.B.1 Exfiltration Data Compressed, Data Encrypted, Masquerading i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file 19.C.1 Exfiltration Exfiltration Over Alternative Protocol i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel 19.D.1 Defense Evasion File Deletion i. Empire: 'del C:\"$"Recycle.bin\old.rar' 19.D.2 Defense Evasion File Deletion i. Empire: 'del recycler.exe' Step 20: Execution of Persistence
|