Home  >  Evaluations  >  SentinelOne  >  Overview
SentinelOne
Tags:    

SentinelOne Overview Tactic Page Information

The ATT&CK tactic page displays all tested techniques belonging to that tactic, as well as all procedures and their respective detections. The procedures are grouped by their technique. The Procedure column contains a description of how the technique was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
Vendor Configuration JSON     Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of Compromise

General Behavior

Specific Behavior

Enrichment

Tainted

Delayed

Configuration Change
Step
Procedures
Technique
Detection Type Detection Notes
Screenshots
1.A.1
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
User Execution
(T1204)
Telemetry
  
Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution.
General Behavior
  
A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by.
Telemetry from process tree showing execution of Resume Viewer.exe
General Behavior alert for execution of Resume Viewer.exe as a suspicious file
Rundll32
(T1085)
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story)
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story)
1.B.1
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Telemetry (Tainted)
  
 
Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story)
1.C.1
Cobalt Strike: C2 channel established
Commonly Used Port
(T1043)
None
  
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically).
Data Encoding
(T1132)
Telemetry (Tainted)
  
 
Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing stream of DNS requests with encoded data
Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story)
Standard Application Layer Protocol
(T1071)
Telemetry (Tainted)
  
 
Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story)
2.A.1
Cobalt Strike: 'ipconfig /all' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story)
2.A.2
Cobalt Strike: 'arp -a' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story)
2.B.1
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
System Owner / User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing echo with command-line arguments (tainted by relationship to threat story)
2.C.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
2.C.2
Cobalt Strike: 'tasklist /v' via cmd
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story)
2.D.1
Cobalt Strike: 'sc query' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story)
2.D.2
Cobalt Strike: 'net start' via cmd
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.E.1
Cobalt Strike: 'systeminfo' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing systeminfo.exe (tainted by relationship to threat story)
2.E.2
Cobalt Strike: 'net config workstation' via cmd
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.F.1
Cobalt Strike: 'net localgroup administrators' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.F.2
Cobalt Strike: 'net localgroup administrators /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.F.3
Cobalt Strike: 'net group "Domain Admins" /domain' via cmd
Permission Groups Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.G.1
Cobalt Strike: 'net user /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.G.2
Cobalt Strike: 'net user george /domain' via cmd
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
2.H.1
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story)
3.A.1
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure.
Bypass User Account Control
(T1088)
Telemetry
  
Telemetry showed process integrity levels changing from medium to high. Detect was verified, but a screenshot for this data was unavailable. Integrity level values are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values.
3.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
3.C.1
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe allocating memory, writing to memory space, and invoking a thread into cmd.exe (tainted by association with parent alert for powershell.exe process executed by svchost.exe).
Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view)
4.A.1
Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
4.A.2
Cobalt Strike: 'net group "Domain Computers" /domain' via cmd
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious)
4.B.1
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story)
4.C.1
Cobalt Strike: 'netstat -ano' via cmd
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story)
5.A.1
Cobalt Strike: Built-in Mimikatz credential dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Process Injection
(T1055)
None
  
No detection capability demonstrated for this procedure.
5.A.2
Cobalt Strike: Built-in hash dump capability executed
Credential Dumping
(T1003)
None
  
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe injecting into svchost.exe (not counted for detection) then invoking a remote thread into lsass.exe. Powershell.exe was listed as the source of the remote thread into lsass.exe instead of svchost.exe because the alert on powershell.exe came before other events and therefore had increased precedence. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view)
5.B.1
Cobalt Strike: Built-in token theft capability executed to change user context to George
Access Token Manipulation
(T1134)
None
  
No detection capability demonstrated for this procedure.
6.A.1
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)
6.B.1
Cobalt Strike: C2 channel modified
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed a port 80 connection to 192.168.0.4 (C2 server) that was associated with the rundll32 parent process. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)
Multiband Communication
(T1026)
Telemetry (Tainted)
  
 
Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing port 80 connection to 192.168.0.4 (C2 server)
Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure. Telemetry showed a connection to port 80 (no detection showed HTTP specifically).
6.C.1
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry showed a port 3389 connection. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID)
7.A.1
Added user Jesse to Conficker (10.0.0.5) through RDP connection
Create Account
(T1136)
Telemetry
  
Telemetry showed the creation of the user Jesse which was noted from SAM Registry events.
Telemetry showing creation of user account Jesse
Graphical user Interface
(T1061)
None
  
No detection capability demonstrated for this procedure.
Account Discovery
(T1087)
None
  
No detection capability demonstrated for this procedure.
7.B.1
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed file write of updater.dll. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file write of updater.dll (tainted by relationship to threat story)
7.C.1
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
Scheduled Task
(T1053)
Telemetry (Tainted)
  
 
Telemetry showed execution of schtasks.exe and associated command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story)
8.A.1
Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story)
8.A.2
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
File and Directory Discovery
(T1083)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story)
8.B.1
Cobalt Strike: 'ps' (Process status) via Win32 APIs
Process Discovery
(T1057)
None
  
No detection capability demonstrated for this procedure.
8.C.1
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
Input Capture
(T1056)
Telemetry (Tainted)
  
 
Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). Vendor stated log files indicate the powershell process was using the SSL cache folder.
Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view)
Telemetry showing process injection into explorer.exe (does not count as a detection)
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
8.D.1
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
Screen Capture
(T1113)
None
  
No detection capability demonstrated for this procedure.
Process Injection
(T1055)
Telemetry (Tainted)
  
 
Telemetry showed the sequence of events related to process injection from powershell.exe into explorer.exe. The capability associated the process with the highest threat to the event (powershell.exe) instead of cmd.exe (the expected source of the injection) because it had an alert associated with it previously. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view)
9.A.1
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
9.B.1
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Data from Data from Network Shared Drive
(T1039)
Telemetry
  
Telemetry showed remote file access behavior for the .vsdx file from the network shared drive.
Telemetry showing .vsdx file access from WormShare on the network shared drive
Exfiltration Over Command and Control Channel
(T1041)
None
  
No detection capability demonstrated for this procedure.
10.A.1
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
Registry Run Keys / Startup Folder
(T1060)
Telemetry
  
Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert.
Telemetry showing execution of autoupdate.bat from the Startup folder
Group ID query showing both autoupdate.bat and updater.dll persistence execution
10.A.2
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
Scheduled Task
(T1053)
Telemetry
  
Telemetry showed rundll32.exe executing updater.dll as part of the scheduled task persistence. The telemetry was associated with the execution of autoupdate.bat for persistence because it was associated with the same story (Group ID) but is not marked as malicious or tainted because it is not associated with an alert.
Telemetry showing rundll32.exe executing updater.dll
Group ID query showing both autoupdate.bat and updater.dll persistence execution
10.B.1
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
Remote Desktop Protocol
(T1076)
Telemetry (Tainted)
  
 
Telemetry from Nimda showed a TCP port 3389 connection from 10.0.1.6 (Nimda) to 10.0.0.5 (Conficker). The rundll32.exe process (PID 184) that was used to load updater.dll was used to proxy the RDP connection to Conficker. The telemetry was tainted by the activity generated during the privilege escalation step because it was associated with the same story (Group ID). 
Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker)
Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID)
Valid Accounts
(T1078)
Telemetry
  
Telemetry showed the Jesse account had logged into the system.
Telemetry showing last logged on user identified as Jesse
11.A.1
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
Scripting
(T1064)
Telemetry
  
Telemetry showed wscript.exe executing autoupdate.vbs which then executed powershell.exe with an encoded PowerShell script.
General Behavior
  
A General Behavior alert was generated for the execution of autoupdate.vbs that was listed as an active threat.
Telemetry showing wscript.exe and powershell.exe
General Behavior alert for execution of autoupdate.vbs listed as an active threat
11.B.1
Empire: C2 channel established
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed network connections to 192.168.0.5 (C2 server) over TCP port 443. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was not shown in this view)
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure. Telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over TCP port 443 (no protocol was identified for this traffic). Vendor stated log files indicate the powershell process was using the SSL cache folder.
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)
Standard Cryptographic Protocol
(T1032)
None
  
No detection capability demonstrated for this procedure. Telemetry showed an outbound network connection to 192.168.0.5 (C2 server) over TCP port 443 (no protocol was identified for this traffic). Vendor stated log files indicate the powershell process was using the SSL cache folder.
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)
12.A.1
Empire: 'route print' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing route.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing route.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing partial tree of activity from the initial compromise alert
Continued threat story showing initial compromise alert and powershell.exe tainting route.exe
12.A.2
Empire: 'ipconfig /all' via PowerShell
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing ipconfig.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting ipconfig.exe
12.B.1
Empire: 'whoami /all /fo list' via PowerShell
System Owner/User Discovery
(T1033)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing whoami.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing whoami.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Continued threat story showing initial compromise alert and powershell.exe tainting whoami.exe
12.C.1
Empire: 'qprocess *' via PowerShell
Process Discovery
(T1057)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting qprocess.exe
12.D.1
Empire: 'net start' via PowerShell
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting net.exe
12.E.1
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
Scripting
(T1064)
Telemetry (Tainted)
  
 
Telemetry showed execution of a PowerShell script with follow-on enumeration activity that coincided with the execution of the WinEnum module. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter)
12.E.1.1
Empire: WinEnum module included enumeration of user information
System Owner / User Discovery
(T1033)
None
  
No detection capability demonstrated for this procedure.
12.E.1.2
Empire: WinEnum module included enumeration of AD group memberships
Permission Groups Discovery
(T1069)
None
  
No detection capability demonstrated for this procedure.
12.E.1.3
Empire: WinEnum module included enumeration of password policy information
Password Policy Discovery
(T1201)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.1
Empire: WinEnum module included enumeration of recently opened files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.4.2
Empire: WinEnum module included enumeration of interesting files
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
12.E.1.5
Empire: WinEnum module included enumeration of clipboard contents
Clipboard Data
(T1115)
None
  
No detection capability demonstrated for this procedure. PowerShell telemetry showed execution of an encoded command and the script was decoded to Windows.Clipboard(...) outside of the capability, but this was not counted as a detection because it was external to the capability.
12.E.1.6.1
Empire: WinEnum module included enumeration of system information
System Information Discovery
(T1082)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing WMI queries that indicated operating system information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Additional telemetry showing powershell.exe WMI queries for operating system information
12.E.1.6.2
Empire: WinEnum module included enumeration of Windows update information
System Information Discovery
(T1082)
None
  
No detection capability demonstrated for this procedure.
12.E.1.7
Empire: WinEnum module included enumeration of system information via a Registry query
Query Registry
(T1012)
None
  
No detection capability demonstrated for this procedure.
12.E.1.8
Empire: WinEnum module included enumeration of services
System Service Discovery
(T1007)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.1
Empire: WinEnum module included enumeration of available shares
Network Share Discovery
(T1135)
None
  
No detection capability demonstrated for this procedure.
12.E.1.9.2
Empire: WinEnum module included enumeration of mapped network drives
Network Share Discovery
(T1135)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing WMI queries that indicated logical disk information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Additional telemetry showing powershell.exe WMI queries for logical disk information
12.E.1.10.1
Empire: WinEnum module included enumeration of AV solutions
Security Software Discovery
(T1063)
Enrichment (Tainted)
  
 
The capability enriched powershell.exe activity with the action "attempted to find other installed security software." The enrichment was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing WMI queries that indicated antivirus product information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Enrichment of powershell.exe with action "attempted to find other installed security software" (tainted Group ID not shown but was the search parameter)
Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story)
12.E.1.10.2
Empire: WinEnum module included enumeration of firewall rules
Security Software Discovery
(T1063)
None
  
No detection capability demonstrated for this procedure.
12.E.1.11
Empire: WinEnum module included enumeration of network adapters
System Network Configuration Discovery
(T1016)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing WMI queries that indicated network adapter and configuration information was queried. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Additional telemetry showing powershell.exe WMI queries for network adapter and configuration information
12.E.1.12
Empire: WinEnum module included enumeration of established network connections
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing netstat.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
12.F.1
Empire: 'net group "Domain Admins" /domain' via PowerShell
Permissions Group Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
12.F.2
Empire: 'net localgroup administrators' via PowerShell
Permissions Group Discovery
(T1069)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
12.G.1
Empire: 'net user' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
Continued threat story showing related processes
12.G.2
Empire: 'net user /domain' via PowerShell
Account Discovery
(T1087)
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting net.exe
Continued threat story showing initial compromise alert and powershell.exe tainting net.exe
13.A.1
Empire: 'net group "Domain Computers" /domain' via PowerShell
Remote System Discovery
(T1018)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)
13.B.1
Empire: 'net use' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)
13.B.2
Empire: 'netstat -ano' via PowerShell
System Network Connections Discovery
(T1049)
Telemetry (Tainted)
  
 
Telemetry showed execution of netstat.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter)
13.C.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
Querying the Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed execution of reg.exe with command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of reg.exe and command-line arguments (tainted Group ID not shown but was the search parameter)
14.A.1
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
Bypass User Account Control
(T1088)
Telemetry (Tainted)
  
 
Telemetry showed process integrity levels changing from medium to high (tainted by parent alert). Integrity level numbers are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values.
Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not shown in this view)
Commonly Used Port
(T1043)
Telemetry (Tainted)
  
 
Telemetry showed network connections over port 8080. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not shown in this view)
Remote File Copy
(T1105)
None
  
No detection capability demonstrated for this procedure.
Standard Application Layer Protocol
(T1071)
None
  
No detection capability demonstrated for this procedure.
15.A.1
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
Application Window Discovery
(T1010)
None
  
No detection capability demonstrated for this procedure.
Input Capture
(T1056)
Enrichment (Tainted)
  
 
The capability enriched data collected as keylogging behavior that was not visible through the standard interface during the evaluation. The capability associated the keylogging event to the parent Group ID even though it is not visible in the data provided.
Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown in this view)
15.B.1
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
Credentials in Files
(T1081)
None
  
No detection capability demonstrated for this procedure.
16.A.1
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
Telemetry showing net.exe logon attempts (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes
16.B.1
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe and command-line arguments targeting ADMIN$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt using valid credentials of user Kmitnick via net.exe and command-line arguments (tainted by relationship to threat story). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
Telemetry showing net.exe logon attempts, the last of which using valid credentials for user Kmitnick (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Brute Force
(T1110)
Telemetry (Tainted)
  
 
Telemetry showed repeated logon attempts via net.exe and command-line arguments indicative of password spraying, eventually resulting in a successful logon. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID). The log files showed an exit code of 0x2 which indicates a logon failure, but does not differentiate between bad credentials and access denied to resource.
Telemetry showing net.exe logon attempts (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
16.C.1
Empire: 'net use /delete' via PowerShell
Network Share Connection Removal
(T1126)
Telemetry (Tainted)
  
 
Telemetry showed execution of net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story)
16.D.1
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
Windows Admin Shares
(T1077)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe and command-line arguments targeting C$ via net.exe and command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story)
Valid Accounts
(T1078)
Telemetry (Tainted)
  
 
Telemetry showed a logon attempt via net.exe and command-line arguments using valid credentials of user Kmitnick. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing a net.exe logon attempt using valid credentials for user Kmitnick (tainted by relationship to threat story)
16.E.1
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed creation and file write events for autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view)
Telemetry showing creation and writes to autoupdate.vbs
16.F.1
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick
Command-Line Interface
(T1059)
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe execution of autoupdate.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story)
16.G.1
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed creation of update.vbs on 10.0.0.4 (Creeper). The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID not shown in this view)
16.H.1
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe to query services on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story)
16.I.1
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
New Service
(T1050)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story)
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed executions of sc.exe to create the AdobeUpdater service on Creeper with a binPath pointing to cmd.exe to execute update.vbs as well as a setting the service description. An analyst can use this information to determine AdobeUpdater is masquerading. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of sc.exe to create the AdobeUpdater service and set the description (partially shown one line above; both tainted by prior threat story)
16.J.1
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe to query the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story)
16.K.1
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
File and Directory Discovery
(T1083)
Telemetry
  
Telemetry showed a remote access event on update.vbs. MITRE verified telemetry was generated for the remote update.vbs file access event, but no screenshot was available.
16.L.1
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
Service Execution
(T1035)
Telemetry (Tainted)
  
 
Telemetry showed execution of sc.exe to start the AdobeUpdater service on Creeper. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
General Behavior
  
A General Behavior alert was generated for the lateral movement activity. A new story grouping was generated for the event on Creeper to associate subsequent activity.
Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story)
Lateral movement alert generated by the remote service start on Creeper
17.A.1
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
System Service Discovery
(T1007)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe execution with command-line arguments indicating a check to see if terminal services was enabled. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert by Group ID)
Query Registry
(T1012)
Telemetry (Tainted)
  
 
Telemetry showed reg.exe execution with command-line arguments. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Threat story graph showing telemetry of reg.exe executing (tainted by prior lateral movement alert by Group ID)
17.B.1
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
File Permissions Modification
(T1222)
Enrichment (Tainted)
  
 
Telemetry showed takeown.exe execution with command-line arguments containing magnify.exe. The event was enriched to show that ownership of a file was taken over. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID)
17.B.2
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
File Permissions Modification
(T1222)
Telemetry (Tainted)
  
 
Telemetry showed icacls.exe execution with command-line arguments containing magnify.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID)
17.C.1
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
Accessibility Features
(T1015)
Telemetry (Tainted)
  
 
Telemetry showed file write of magnify.exe in the system directory from a file copy event for cmd.exe with matching hash values. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lateral movement threat story; Group ID not shown in this view)
18.A.1
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
File and Directory Discovery
(T1083)
None
  
No detection capability demonstrated for this procedure.
18.B.1
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
Data Staged
(T1074)
Telemetry (Tainted)
  
 
Telemetry showed file write of the .vsdx to the Recycle Bin. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
Exported telemetry of threat story (taints event) showing .vsdx file copy and write
Data from Network Shared Drive
(T1039)
Telemetry (Tainted)
  
 
Telemetry showed the .vsdx file copied from a network shared drive on Conficker. The activity seen during the lateral movement step tainted the telemetry because it was associated with the same story (Group ID).
Exported telemetry of threat story (taints event) showing .vsdx file copy from network shared drive on Conficker
19.A.1
Empire: File dropped to disk is a renamed copy of the WinRAR binary
Masquerading
(T1036)
Telemetry (Tainted)
  
 
Telemetry showed file creation event for recycler.exe on CodeRed along with MD5, SHA1, and SHA256 hashes. Hashes could be used to look up information on the binary. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file write of recycler.exe with file hashes
Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID
Remote File Copy
(T1105)
Telemetry (Tainted)
  
 
Telemetry showed file write of recycler.exe with hash value. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file write of recycler.exe
Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID
19.B.1
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
Data Compressed
(T1002)
Telemetry (Tainted)
  
 
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing the execution of recycler.exe
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
Data Encrypted
(T1022)
Telemetry (Tainted)
  
 
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing the execution of recycler.exe
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
Masquerading
(T1036)
Enrichment (Tainted)
  
 
Telemetry showed execution of recycler.exe with command-line arguments, including the -hp flag, indicating use of encryption and compression with a WinRAR utility. The Process Name field in the row for recycler.exe enriched the event with "Command line RAR". The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Enrichment showing the execution of recycler.exe with process name identified as "Command line RAR"
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
19.C.1
Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel
Exfiltration over Alternative Protocol
(T1048)
Telemetry (Tainted)
  
 
Telemetry showed ftp.exe running with ftp.txt as an argument. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group ID
19.D.1
Empire: 'del C:\"$"Recycle.bin\old.rar'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed the file deletion of old.rar. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry exported from threat story showing the deletion of old.rar was tainted by prior activity because it was under the same Group ID
19.D.2
Empire: 'del recycler.exe'
File Deletion
(T1107)
Telemetry (Tainted)
  
 
Telemetry showed the file deletion of recycler.exe. The activity seen during the lateral movement step tainted the event because it was associated with the same story (Group ID).
Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the same Group ID
20.A.1
magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
Accessibility Features
(T1015)
Telemetry
  
Telemetry showed execution of magnify.exe which was identified as a Windows Command Processor within the interface. Activity associated with a new story (Group ID).
Telemetry showing magnify.exe execution (identified as Windows Command Processor)
Remote Desktop Protocol
(T1076)
None
  
No detection capability demonstrated for this procedure.
20.B.1
Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)
System Owner / User Discovery
(T1033)
Enrichment
  
Enrichment showed execution of the whoami command (enriched with description "whoami - displays logged on user information"). Execution of whoami was associated to the story (Group ID) created from the execution of magnify.exe, but was not considered tainted because an alert was not generated when magnify.exe was executed.
Enrichment of whoami command (displays logged on user information)


Operational Flow

The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Step 1: Initial Compromise

1.A.1 Execution

User Execution, Rundll32, Scripting

i. Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

1.B.1 Persistence

Registry Run Keys / Startup Folder

i. Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

1.C.1 Command and Control

Commonly Used Port, Data Encoding, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel established

Step 2: Initial Discover

2.A.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'ipconfig /all' via cmd

2.A.2 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'arp -a' via cmd

2.B.1 Discovery

System Owner / User Discovery

i. Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

2.C.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

2.C.2 Discovery

Process Discovery

i. Cobalt Strike: 'tasklist /v' via cmd

2.D.1 Discovery

System Service Discovery

i. Cobalt Strike: 'sc query' via cmd

2.D.2 Discovery

System Service Discovery

i. Cobalt Strike: 'net start' via cmd

2.E.1 Discovery

System Information Discovery

i. Cobalt Strike: 'systeminfo' via cmd

2.E.2 Discovery

System Information Discovery

i. Cobalt Strike: 'net config workstation' via cmd

2.F.1 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators' via cmd

2.F.2 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net localgroup administrators /domain' via cmd

2.F.3 Discovery

Permission Groups Discovery

i. Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

2.G.1 Discovery

Account Discovery

i. Cobalt Strike: 'net user /domain' via cmd

2.G.2 Discovery

Account Discovery

i. Cobalt Strike: 'net user george /domain' via cmd

2.H.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Step 3: Privilege Escalation

3.A.1 Defense Evasion, Privilege Escalation

Access Token Manipulation, Bypass User Account Control

i. Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

3.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

3.C.1 Defense Evasion, Privilege Escalation

Process Injection

i. Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Step 4: Discovery for Lateral Movement

4.A.1 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

4.A.2 Discovery

Remote System Discovery

i. Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

4.B.1 Discovery

System Network Configuration Discovery

i. Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

4.C.1 Discovery

System Network Connections Discovery

i. Cobalt Strike: 'netstat -ano' via cmd

Step 5: Credential Access

5.A.1 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in Mimikatz credential dump capability executed

5.A.2 Credential Access

Credential Dumping, Process Injection

i. Cobalt Strike: Built-in hash dump capability executed

5.B.1 Defense Evasion, Privilege Escalation

Access Token Manipulation

i. Cobalt Strike: Built-in token theft capability executed to change user context to George

Step 6: Lateral Movement

6.A.1 Discovery

Query Registry

i. Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

6.B.1 Command and Control

Commonly Used Port, Multiband Communication, Standard Application Layer Protocol

i. Cobalt Strike: C2 channel modified

6.C.1 Lateral Movement

Remote Desktop Protocol

i. Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Step 7: Persistence

7.A.1 Persistence

Create Account, Graphical user Interface, Account Discovery

i. Added user Jesse to Conficker (10.0.0.5) through RDP connection

7.B.1 Command and Control, Lateral Movement

Remote File Copy

i. Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

7.C.1 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Step 8: Collection

8.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

8.A.2 Discovery

File and Directory Discovery

i. Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

8.B.1 Discovery

Process Discovery

i. Cobalt Strike: 'ps' (Process status) via Win32 APIs

8.C.1 Collection, Credential Access

Input Capture, Application Window Discovery

i. Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

8.D.1 Collection

Screen Capture, Process Injection

i. Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Step 9: Exfiltration

9.A.1 Discovery

File and Directory Discovery

i. Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

9.B.1 Collection

Data from Data from Network Shared Drive, Exfiltration Over Command and Control Channel

i. Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 10: Execution of Persistence

10.A.1 Persistence

Registry Run Keys / Startup Folder

i. Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

10.A.2 Execution, Persistence, Privilege Escalation

Scheduled Task

i. Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

10.B.1 Lateral Movement

Remote Desktop Protocol, Valid Accounts

i. RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Step 11: Initial Access

11.A.1 Defense Evasion, Execution

Scripting

i. Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

11.B.1 Command and Control

Commonly Used Port, Standard Application Layer Protocol, Standard Cryptographic Protocol

i. Empire: C2 channel established

Step 12: Initial Discover

12.A.1 Discovery

System Network Configuration Discovery

i. Empire: 'route print' via PowerShell

12.A.2 Discovery

System Network Configuration Discovery

i. Empire: 'ipconfig /all' via PowerShell

12.B.1 Discovery

System Owner/User Discovery

i. Empire: 'whoami /all /fo list' via PowerShell

12.C.1 Discovery

Process Discovery

i. Empire: 'qprocess *' via PowerShell

12.D.1 Discovery

System Service Discovery

i. Empire: 'net start' via PowerShell

12.E.1 Defense Evasion, Execution

Scripting

i. Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

12.E.1.1 Discovery

System Owner / User Discovery

i. Empire: WinEnum module included enumeration of user information

12.E.1.2 Discovery

Permission Groups Discovery

i. Empire: WinEnum module included enumeration of AD group memberships

12.E.1.3 Discovery

Password Policy Discovery

i. Empire: WinEnum module included enumeration of password policy information

12.E.1.4.1 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of recently opened files

12.E.1.4.2 Discovery

File and Directory Discovery

i. Empire: WinEnum module included enumeration of interesting files

12.E.1.5 Collection

Clipboard Data

i. Empire: WinEnum module included enumeration of clipboard contents

12.E.1.6.1 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of system information

12.E.1.6.2 Discovery

System Information Discovery

i. Empire: WinEnum module included enumeration of Windows update information

12.E.1.7 Discovery

Query Registry

i. Empire: WinEnum module included enumeration of system information via a Registry query

12.E.1.8 Discovery

System Service Discovery

i. Empire: WinEnum module included enumeration of services

12.E.1.9.1 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of available shares

12.E.1.9.2 Discovery

Network Share Discovery

i. Empire: WinEnum module included enumeration of mapped network drives

12.E.1.10.1 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of AV solutions

12.E.1.10.2 Discovery

Security Software Discovery

i. Empire: WinEnum module included enumeration of firewall rules

12.E.1.11 Discovery

System Network Configuration Discovery

i. Empire: WinEnum module included enumeration of network adapters

12.E.1.12 Discovery

System Network Connections Discovery

i. Empire: WinEnum module included enumeration of established network connections

12.F.1 Discovery

Permissions Group Discovery

i. Empire: 'net group "Domain Admins" /domain' via PowerShell

12.F.2 Discovery

Permissions Group Discovery

i. Empire: 'net localgroup administrators' via PowerShell

12.G.1 Discovery

Account Discovery

i. Empire: 'net user' via PowerShell

12.G.2 Discovery

Account Discovery

i. Empire: 'net user /domain' via PowerShell

Step 13: Discovery for Lateral Movement

13.A.1 Discovery

Remote System Discovery

i. Empire: 'net group "Domain Computers" /domain' via PowerShell

13.B.1 Discovery

System Network Connections Discovery

i. Empire: 'net use' via PowerShell

13.B.2 Discovery

System Network Connections Discovery

i. Empire: 'netstat -ano' via PowerShell

13.C.1 Discovery

Querying the Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Step 14: Privilege Escalation

14.A.1 Defense Evasion, Privilege Escalation

Bypass User Account Control, Commonly Used Port, Remote File Copy, Standard Application Layer Protocol

i. Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Step 15: Credential Access

15.A.1 Discovery

Application Window Discovery, Input Capture

i. Empire: Built-in keylogging module executed to capture keystrokes of user Bob

15.B.1 Credential Access

Credentials in Files

i. Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Step 16: Lateral Movement

16.A.1 Credential Access

Brute Force, Windows Admin Shares

i. Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

16.B.1 Lateral Movement

Windows Admin Shares, Valid Accounts , Brute Force

i. Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

16.C.1 Defense Evasion

Network Share Connection Removal

i. Empire: 'net use /delete' via PowerShell

16.D.1 Lateral Movement

Windows Admin Shares, Valid Accounts

i. Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

16.E.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

16.F.1 Execution

Command-Line Interface

i. Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

16.G.1 Command and Control, Lateral Movement

Remote File Copy

i. Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

16.H.1 Discovery

System Service Discovery

i. Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

16.I.1 Persistence, Privilege Escalation

New Service, Masquerading

i. Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

16.J.1 Discovery

System Service Discovery

i. Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

16.K.1 Discovery

File and Directory Discovery

i. Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

16.L.1 Execution

Service Execution

i. Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Step 17: Persistence

17.A.1 Discovery

System Service Discovery, Query Registry

i. Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

17.B.1 Defense Evasion

File Permissions Modification

i. Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

17.B.2 Defense Evasion

File Permissions Modification

i. Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

17.C.1 Persistence, Privilege Escalation

Accessibility Features

i. Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Step 18: Collection

18.A.1 Discovery

File and Directory Discovery

i. Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

18.B.1 Collection

Data Staged, Data from Network Shared Drive

i. Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Step 19: Exfiltration

19.A.1 Defense Evasion

Masquerading, Remote File Copy

i. Empire: File dropped to disk is a renamed copy of the WinRAR binary

19.B.1 Exfiltration

Data Compressed, Data Encrypted, Masquerading

i. Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

19.C.1 Exfiltration

Exfiltration over Alternative Protocol

i. Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

19.D.1 Defense Evasion

File Deletion

i. Empire: 'del C:\"$"Recycle.bin\old.rar'

19.D.2 Defense Evasion

File Deletion

i. Empire: 'del recycler.exe'

Step 20: Execution of Persistence

20.A.1 Persistence, Privilege Escalation

Accessibility Features, Remote Desktop Protocol

i. magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

20.B.1 Discovery

System Owner / User Discovery

i. Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)