Home   >   Tools   >   Technique Comparison Tool
Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
1.A.1 - User Execution
1.A.1 - Rundll32
1.A.1 - Scripting
1.B.1 - Registry Run Keys - Startup Folder
1.C.1 - Commonly Used Port
1.C.1 - Standard Application Layer Protocol
1.C.1 - Data Encoding
2.A.1 - System Network Configuration Discovery
2.A.2 - System Network Configuration Discovery
2.B.1 - System Owner-User Discovery
2.C.1 - Process Discovery
2.C.2 - Process Discovery
2.D.1 - System Service Discovery
2.D.2 - System Service Discovery
2.E.1 - System Information Discovery
2.E.2 - System Information Discovery
2.F.1 - Permission Groups Discovery
2.F.2 - Permission Groups Discovery
2.F.3 - Permission Groups Discovery
2.G.1 - Account Discovery
2.G.2 - Account Discovery
2.H.1 - Query Registry
3.A.1 - Bypass User Account Control
3.A.1 - Access Token Manipulation
3.B.1 - Process Discovery
3.C.1 - Process Injection
4.A.1 - Remote System Discovery
4.A.2 - Remote System Discovery
4.B.1 - System Network Configuration Discovery
4.C.1 - System Network Connections Discovery
5.A.1 - Credential Dumping
5.A.1 - Process Injection
5.A.2 - Credential Dumping
5.A.2 - Process Injection
5.B.1 - Access Token Manipulation
6.A.1 - Query Registry
6.B.1 - Commonly Used Port
6.B.1 - Standard Application Layer Protocol
6.B.1 - Multiband Communication
6.C.1 - Remote Desktop Protocol
7.A.1 - Create Account
7.A.1 - Graphical User Interface
7.A.1 - Account Discovery
7.B.1 - Remote File Copy
7.C.1 - Scheduled Task
8.A.1 - File and Directory Discovery
8.A.2 - File and Directory Discovery
8.B.1 - Process Discovery
8.C.1 - Input Capture
8.C.1 - Application Window Discovery
8.D.1 - Screen Capture
8.D.1 - Process Injection
9.A.1 - File and Directory Discovery
9.B.1 - Data from Network Shared Drive
9.B.1 - Exfiltration Over Command and Control Channel
10.A.1 - Registry Run Keys - Startup Folder
10.A.2 - Scheduled Task
10.B.1 - Valid Accounts
10.B.1 - Remote Desktop Protocol
11.A.1 - Scripting
11.B.1 - Commonly Used Port
11.B.1 - Standard Application Layer Protocol
11.B.1 - Standard Cryptographic Protocol
12.A.1 - System Network Configuration Discovery
12.A.2 - System Network Configuration Discovery
12.B.1 - System Owner-User Discovery
12.C.1 - Process Discovery
12.D.1 - System Service Discovery
12.E.1 - Scripting
12.E.1.1 - System Owner-User Discovery
12.E.1.2 - Permission Groups Discovery
12.E.1.3 - Password Policy Discovery
12.E.1.4.1 - File and Directory Discovery
12.E.1.4.2 - File and Directory Discovery
12.E.1.5 - Clipboard Data
12.E.1.6.1 - System Information Discovery
12.E.1.6.2 - System Information Discovery
12.E.1.7 - Query Registry
12.E.1.8 - System Service Discovery
12.E.1.9.1 - Network Share Discovery
12.E.1.9.2 - Network Share Discovery
12.E.1.10.1 - Security Software Discovery
12.E.1.10.2 - Security Software Discovery
12.E.1.11 - System Network Configuration Discovery
12.E.1.12 - System Network Connections Discovery
12.F.1 - Permission Groups Discovery
12.F.2 - Permission Groups Discovery
12.G.1 - Account Discovery
12.G.2 - Account Discovery
13.A.1 - Remote System Discovery
13.B.1 - System Network Connections Discovery
13.B.2 - System Network Connections Discovery
13.C.1 - Query Registry
14.A.1 - Bypass User Account Control
14.A.1 - Remote File Copy
14.A.1 - Standard Application Layer Protocol
14.A.1 - Commonly Used Port
15.A.1 - Input Capture
15.A.1 - Application Window Discovery
15.B.1 - Credentials in Files
16.A.1 - Brute Force
16.A.1 - Windows Admin Shares
16.B.1 - Valid Accounts
16.B.1 - Windows Admin Shares
16.B.1 - Brute Force
16.C.1 - Network Share Connection Removal
16.D.1 - Windows Admin Shares
16.D.1 - Valid Accounts
16.E.1 - Remote File Copy
16.F.1 - Command-Line Interface
16.G.1 - Remote File Copy
16.H.1 - System Service Discovery
16.I.1 - New Service
16.I.1 - Masquerading
16.J.1 - System Service Discovery
16.K.1 - File and Directory Discovery
16.L.1 - Service Execution
17.A.1 - System Service Discovery
17.A.1 - Query Registry
17.B.1 - File Permissions Modification
17.B.2 - File Permissions Modification
17.C.1 - Accessibility Features
18.A.1 - File and Directory Discovery
18.B.1 - Data Staged
18.B.1 - Data from Network Shared Drive
19.A.1 - Masquerading
19.A.1 - Remote File Copy
19.B.1 - Data Compressed
19.B.1 - Data Encrypted
19.B.1 - Masquerading
19.C.1 - Exfiltration Over Alternative Protocol
19.D.1 - File Deletion
19.D.2 - File Deletion
20.A.1 - Accessibility Features
20.A.1 - Remote Desktop Protocol
20.B.1 - System Owner-User Discovery
Comprehensive Results


1.A.1 User Execution

Procedure: Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Vendor
Detection Types Detection Notes
Screenshots
Carbon Black
Telemetry
  
Telemetry within the process tree showed Resume Viewer.exe running along with its children.
General Behavior
  
A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon "Newly Executed Applications".
General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert)

CrowdStrike
General Behavior
  
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious.
Telemetry
  
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as malicious

Cybereason
General Behavior
  
A General Behavior alert was generated based on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe was executed and running as a process. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. The provided screenshot was captured later in the evaluation and includes additional information appended to explorer.exe not relevant to this procedure.
Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe)

Endgame
General Behavior
  
A General Behavior alert was generated for Malicious File Detection on the execution of Resume Viewer.exe.
Telemetry (Tainted)
  
 
Telemetry showed events surrounding the Resume Viewer.exe event to indicate execution (tainted by a parent Malicious File Detection).
Event tree view showing Malicious File Detection General Behavior alert on Resume Viewer.exe execution

FireEye
General Behavior (Configuration Change)
  
 
A General Behavior alert was generated for the Resume Viewer.exe file due to it being labeled as malicious by a machine learning engine. The alert was generated after a configuration change of the file size limit for the machine learning engine. The vendor reported that this file would have been quarantined and prevented from executing. The scan type used to produce this alert is On-access, which means the scan occurs on file writes and executions.
Telemetry
  
Telemetry showed Resume Viewer.exe executing with a parent process of explorer.exe.
Telemetry showing Resume Viewer.exe being executed by explorer.exe

Microsoft
Telemetry
  
Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed. Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Exploit Guard audit of Resume Viewer.exe

Palo Alto Networks
Telemetry
  
Telemetry showed that Resume Viewer.exe was executed and running as a process owned by user Debbie.
Telemetry showing Resume Viewer.exe running as a process

RSA
Telemetry
  
Telemetry showed execution of Resume Viewer.exe.
Telemetry showing Resume Viewer.exe execution

Sentinel One
Telemetry
  
Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution.
General Behavior
  
A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by.
General Behavior alert for execution of Resume Viewer.exe as a suspicious file

Carbon Black
Telemetry
  
Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing.
Enrichment
  
The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique).
Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert)

CrowdStrike
Specific Behavior
  
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion).
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
OverWatch General Behavior alert indicating rundll32 execution was suspicious

Cybereason
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for injected shellcode by a compromised legitimate process (rundll32.exe). The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) and was tainted by parent alert on rundll32.exe injection.
Telemetry (Tainted)
  
 
Telemetry within the rundll32.exe injection alert also showed full command-line arguments of rundll32.exe executing update.dat. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. For most alerts in the user interface, the telemetry behind it is separately available in the capability and counted as a separate detection.
Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe, tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert. 
Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry  (tagged with correct ATT&CK Technique, T1085 - Rundll32 and Tactics, Defense Evasion, Execution; tainted by parent Malicious File Detection alert)

FireEye
Enrichment
  
The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe running update.dat.
General Behavior (Delayed)
  
 
A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat.
General Behavior alert on low-reputation DLL load by signed executable

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Specific Behavior (Tainted)
  
 
Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
General Behavior (Tainted)
  
 
A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated the capability would have prevented execution of update.dat.
Additional details of General Behavior alert for rundll32.exe executing update.dat

RSA
Telemetry
  
Telemetry showed cmd.exe launching rundll32.exe.
Telemetry showing execution of Resume Viewer.exe

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script.
Enrichment
  
The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting).
Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) 

CrowdStrike
General Behavior (Delayed)
  
 
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry showed pdfhelper.cmd being executed by cmd.exe.
Telemetry showing pdfhelper.cmd execution

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe launching pdfhelper.cmd. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert.
Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert)

FireEye
Telemetry
  
Telemetry showed Resume Viewer.exe spawning the child process cmd.exe to launch pdfhelper.cmd.
Telemetry showing the child cmd.exe process running the pdfhelper.cmd script

Microsoft
Telemetry
  
Telemetry within a process tree showed the child cmd.exe process running the script pdfhelper.cmd.
Telemetry within the process tree showing the child cmd.exe process running the script pdfhelper.cmd

Palo Alto Networks
Telemetry
  
Telemetry showed cmd.exe launching pdfhelper.cmd.
Specific Behavior
  
A Specific Behavior alert was generated for execution of the Windows script engine. The alert was tagged with the correct ATT&CK Technique (Scripting).
Specific Behavior alert for execution of Windows script engine tagged with the correct ATT&CK Technique (Scripting)

RSA
None
  
No detection capability demonstrated for this procedure, though telemetry showed the execution sequence of Resume Viewer.exe executing cmd.exe, which executed rundll32.exe (the pdfhelper.cmd script was not shown).
Telemetry showing Resume Viewer.exe execution (does not count as a detection)

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder.
Enrichment
  
The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder).
Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)

CounterTack
Telemetry
  
Telemetry showed that autoupdate.bat was created in the Startup folder.
Telemetry showing autoupdate.bat created in Startup folder

CrowdStrike
Telemetry
  
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder.
Telemetry showing Registry modification related to Startup Folder

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe rewriting autoupdate.bat to the user Debbie's Startup folder. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert called "Detected Persistence - Start Folder Persistence" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert. 
"Detected Persistence - Start Folder Persistence" Specific Behavior alert related to autoupdate.bat (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Start Folder, and Tactic, Persistence; tainted by cmd.exe generating the alert)

FireEye
Telemetry
  
Telemetry showed autoupdate.bat being written to the Startup folder. The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure.
Enrichment
  
The capability enriched the file write of autoupdate.bat to the Startup folder by categorizing it as Persistence.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the backdoor persisted by executing autoupdate.bat at system start due to its presence in the Startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup directory (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie's Startup folder to establish persistence.
Telemetry showing write of autoupdate.bat to startup folder

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The logic to produce the enrichment was configured after the start of the evaluation so it is identified as a config change.
Enrichment of a file being created in the Startup folder tagged with the correct ATT&CK Technique (Registry Run Keys / Start Folder) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed a cmd.exe "rename to executable" event for autoupdate.bat in the Startup folder.
Telemetry showing cmd.exe "rename to executable" event for autoupdate.bat in Startup folder

Sentinel One
Telemetry (Tainted)
  
 
Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed a network connection over UDP port 53.
Telemetry showing network connection over UDP port 53

CounterTack
None
  
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).


CrowdStrike
None
  
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically).
OverWatch alert showing suspicious DNS traffic (does not count as a detection)

Cybereason
Telemetry
  
Telemetry showed port 53 command and control traffic.
Telemetry showing port 53 command and control traffic

Endgame
None
  
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).


FireEye
Telemetry
  
Telemetry showed port 53 command and control traffic.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it observed the use of UDP port 53 for DNS command and control traffic. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior)

Microsoft
None
  
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically).
Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed port 53 command and control traffic. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a scripting engine (rundll32.exe) making a network connection over DNS ports. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Specific Behavior alert for a scripting engine (rundll32.exe) making a network connection over DNS ports (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically).


Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
Telemetry
  
Telemetry showed that DNS requests to freegoogleadsenseinfo.com (C2 domain) were being performed out of svchost.exe on Nimda.
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe

CrowdStrike
Specific Behavior
  
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration).
General Behavior (Delayed)
  
 
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious. OverWatch is the managed threat hunting service.
Telemetry
  
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating they observed suspected command and control or data exfiltration via DNS (Specific Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
Process tree showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry in the event tree view showed DNS requests spawning from rundll32.exe to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Malicious File Detection alert.
Telemetry showing DNS connections

FireEye
Indicator of Compromise
  
An Indicator of Compromise alert was generated for the hardcoded DNS record name syntax in the DNS lookups for freegoogleadsenseinfo.com (C2 domain). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that command and control occurred via DNS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior)

Microsoft
Telemetry (Configuration Change)
  
 
Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events.
Telemetry showing DNS requests to the C2 domain (custom query)

Palo Alto Networks
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.


RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically).


CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert.
Telemetry within an alert showing encoded DNS requests (tainted by parent Exfiltration alert)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert.
Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
Telemetry (Tainted)
  
 
Telemetry showed base64-encoded DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Cobalt Strike DNS Beacon alert.
Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert)

Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.


RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID).
Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments.
Enrichment
  
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery).
Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating ipconfig was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing ipconfig with command-line arguments.
Telemetry showing cmd.exe executing ipconfig with command-line arguments

Endgame
General Behavior (Tainted)
  
 
A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection.
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing ipconfig.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of discovery techniques

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
General Behavior alert for a commonly abused process (cmd.exe) spawning out of rundll32.exe (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments.
Telemetry showing ipconfig.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments.
Enrichment
  
The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery).
Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating arp was a reconnaissance command (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed arp.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing arp.exe executing within the process tree (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about arp.exe execution

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing arp.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of arp.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing arp.exe with command-line arguments.
Telemetry showing arp.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing echo with command-line arguments.
Telemetry from process tree showing echo with command-line arguments

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating echo was a reconnaissance command (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Telemetry
  
Telemetry showed the use of echo with command-line arguments.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about echo

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo command

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery).
Enrichment of cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe executing echo with command-line arguments.
Telemetry showing echo with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing echo with command-line arguments (tainted by relationship to threat story)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure.


Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments.
Enrichment
  
The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery).
Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating tasklist was a reconnaissance command (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about tasklist

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of tasklist.exe as the enumeration of running processes via the command line (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments.
Additional telemetry showing tasklist.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing sc.exe with command-line arguments.
Enrichment
  
The capability enriched sc.exe with the correct ATT&CK Technique (System Service Discovery).
Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating sc query was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing sc with command-line arguments.
Telemetry showing cmd.exe executing sc with command-line arguments

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about sc

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing sc.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing sc.exe

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Telemetry showing cmd.exe executing sc with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing sc.exe with command-line arguments.
Telemetry showing sc.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (System Service Discovery).
Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net start not specifically shown)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments. 
Telemetry showing cmd.exe executing net with command-line arguments

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing systeminfo.exe.
Enrichment
  
The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery).
Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating systeminfo was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing systeminfo with command-line arguments.
Telemetry showing cmd.exe executing systeminfo

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about systeminfo

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running systeminfo.exe.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing systeminfo.exe

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of systeminfo.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing systeminfo.exe.
Telemetry showing systeminfo.exe

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing systeminfo.exe (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery).
Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net config was a reconnaissance command (General Behavior)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert.
Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert.
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Palo Alto Networks
Enrichment
  
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery).
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert.
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery)
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Palo Alto Networks
Enrichment
  
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery).
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration.
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Enrichment (Tainted)
  
 
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection.
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The alert was tainted by a parent Injected Shellcode alert.
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
Enrichment (Tainted)
  
 
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing domain admins group discovery by Nimda at the domain controller

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Enrichment
  
An "IIOC" module called "Enumerates domain administrators" was generated and provided enrichment.
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Event enrichment from IIOC module "Enumerates domain administrators"

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)

CounterTack
Enrichment (Tainted)
  
 
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted.
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious.
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery).
Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. One condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net user was a reconnaissance command (General Behavior)

Cybereason
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment (Tainted)
  
 
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments.
General Behavior (Delayed)
  
 
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious.
Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery).
Enrichment (Tainted)
  
 
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed cmd.exe executing net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating reg query was a reconnaissance command (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing cmd.exe executing reg with command-line arguments

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection).
General Behavior (Configuration Change, Delayed, Tainted)
  
   
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change.
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

FireEye
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about reg

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe).
Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query command)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry).
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)

RSA
Telemetry
  
Telemetry showed cmd.exe executing reg.exe with command-line arguments.
Telemetry showing reg.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID).
Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)

CrowdStrike
Telemetry
  
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC.
Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe running as medium integrity as user Debbie then another instance running later as high integrity as user Debbie. The telemetry is tainted by a parent PowerShell alert.
Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert)

Endgame
Telemetry
  
Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.  
Telemetry showing authentication (logon) ID mismatch between parent and child processes

FireEye
Telemetry (Configuration Change)
  
 
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Debbie. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).
Telemetry showing group membership of token logon ID 0xfcf5fd, associated with user Debbie, which includes S-1-16-12288 (High Mandatory Level)

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Alert for 'Suspicious PowerShell command-line' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe

Palo Alto Networks
Telemetry
  
Telemetry showed a process integrity level change from parent rundll32.exe (medium / 8192) to child powershell.exe (high / 12288), both running as user Debbie.
Telemetry showing process integrity level change from parent rundll32.exe (medium) to child powershell.exe (high), both running as user Debbie

RSA
None
  
No detection capability demonstrated for this procedure, though an alert was created for PowerShell with the -enc command-line argument.
Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection)

Sentinel One
Telemetry
  
Telemetry showed process integrity levels changing from medium to high. Detect was verified, but a screenshot for this data was unavailable. Integrity level values are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values.


Carbon Black
Telemetry
  
Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation.
Telemetry showing svchost.exe activity related to token manipulation

CounterTack
None
  
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe.
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)

CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure, though an alert was generated for malicious code injection into PowerShell. Telemetry also showed that bypassuactoken.x64.dll was loaded.
Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection)

Endgame
Telemetry
  
Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless.  
Telemetry showing powershell.exe spawned with token authentication id 100243447

FireEye
Telemetry (Configuration Change)
  
 
Telemetry showed a svchost.exe seclogon event for a token logon ID later used by a process whose group membership indicated high integrity. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called).
Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level)

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Alert for 'Suspicious PowerShell command-line' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe

Palo Alto Networks
Telemetry
  
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event with an elevated token and new logon ID, indicating token manipulation.
Telemetry showing logon event with an elevated token and new logon ID

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure.


Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed "crossproc" events indicative of Process Injection into cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated that was mapped to correct ATT&CK Technique (Process Injection).
Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection)

CounterTack
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated based on DLL injection for powershell.exe injecting into cmd.exe. The detection was labeled with Process Hijacking and Privilege Escalation and tainted by the parent "Powershell process created" alert. The vendor noted all DLL injection conditions are labeled with Privilege Escalation. The vendor also noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy.
Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the parent "Powershell process created" alert)

CrowdStrike
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated showing that PowerShell created a thread into a remote process. The alert identified the correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion). The process tree view showed the alert as tainted by parent svchost.exe and powershell.exe detections.
Telemetry
  
Telemetry associated with the alert would show thread creation in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
OverWatch also generated a General Behavior alert identifying the injection as suspicious. The process tree view showed the alert as tainted by previous svchost.exe and powershell.exe detections. OverWatch is the managed threat hunting service.
Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity)

Cybereason
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for process injection from powershell.exe into cmd.exe (Anonymous RWX). The alert is tagged with the correct ATT&CK Tactic (Defense Evasion) and Technique (Process Injection). The alert is tainted by a parent PowerShell alert.
Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process Injection) (tainted by a parent PowerShell alert)

Endgame
Specific Behavior
  
A Specific Behavior alert was generated for process injection into cmd.exe.
Specific Behavior alert for process injection into cmd.exe

FireEye
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified a process injection from PowerShell.exe to cmd.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. The vendor stated the process injection detection capability is a HX plugin that is only available within the Managed Defense Service, and the data is reported to a separate cloud server which is not accessible to customers at this time.
Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cmd.exe

Microsoft
Enrichment (Tainted)
  
 
The capability enriched data showing powershell.exe injecting into cmd.exe (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script).
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection. Process Injection attempt was audited by Exploit Guard. Vendor states that the Exploit Guard audit events demonstrate that execution would have been prevented if Export Address Table (EAF) was enabled in blocking mode.
Telemetry showing process injection activity audited by Exploit Guard

Palo Alto Networks
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for PowerShell injecting shellcode. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Specific Behavior alert for PowerShell injecting shellcode (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
Telemetry
  
Telemetry showed powershell.exe creating a remote thread into cmd.exe.
Telemetry showing powershell.exe creating a remote thread into cmd.exe

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe allocating memory, writing to memory space, and invoking a thread into cmd.exe (tainted by association with parent alert for powershell.exe process executed by svchost.exe).
Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
Enrichment of net.exe with related ATT&CK technique (Account Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. At least one condition was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change.
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)

CrowdStrike
Enrichment
  
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
Telemetry
  
Telemetry within the enrichment showed net.exe executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Cybereason
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Telemetry showing net.exe executing with command-line arguments

Endgame
Telemetry
  
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of net with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net group

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)

Palo Alto Networks
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment
  
The capability enriched cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery).
Enrichment of cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe running net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments.
Enrichment
  
The capability enriched net.exe with a related ATT&CK technique (Account Discovery).
Enrichment of net.exe with related ATT&CK technique (Account Discovery)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)

CrowdStrike
Enrichment
  
The capability showed net.exe executing with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery).
Telemetry
  
Telemetry within the enrichment showed net.exe with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Cybereason
General Behavior (Tainted)
  
 
A General Behavior alert was generated for net.exe executing as part of a suspicious execution chain related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery). The alert was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Telemetry showing net.exe executing with command-line arguments

Endgame
Telemetry
  
Telemetry showed the process creation of net group with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the net command with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of net group command mapped to related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)

FireEye
Enrichment
  
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1069 - Permission Groups Discovery) and the correct Tactic (Discovery).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it indicated net group was one of the reconnaissance commands performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about net group

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)

Palo Alto Networks
Enrichment
  
The capability enriched the execution of net.exe as the execution of an enumeration command using net or net1.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments.
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1

RSA
Telemetry
  
Telemetry showed cmd.exe running net.exe with command-line arguments.
Telemetry showing net.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing netsh.exe with command-line arguments.
Enrichment
  
The capability enriched netsh.exe with a related ATT&CK technique (T1063 - Security Software Discovery) and a tag for Potential Windows Firewall Rule Recon.
Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
Telemetry showing netsh.exe with command-line arguments (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)

CrowdStrike
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because netsh was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry
  
Telemetry within the OverWatch alert showed netsh executing with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Email excerpt from the OverWatch team indicating netsh was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched netsh.exe executing with the correct ATT&CK Tactic (Discovery) and a related Technique (Security Software Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing net with command-line arguments. command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry
  
Telemetry showed the process creation of netsh with command-line arguments.
Telemetry from event tree showing netsh with command-line arguments

FireEye
Enrichment
  
The capability enriched netsh.exe with an alert for Netsh Execution (Weak Signal). The alert was also tagged with a related ATT&CK Technique (T1063 - Security Software Discovery) and the correct Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netsh was a reconnaissance command used to obtain network configuration and the configuration profile of the Windows Firewall. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about netsh

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing netsh.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netsh.exe command not shown)

Palo Alto Networks
Telemetry
  
Telemetry showed cmd.exe executing netsh with command-line arguments.
Enrichment
  
The capability enriched netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery).
Enrichment of netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe running netsh.exe with command-line arguments.
Telemetry showing netsh.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netsh.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing netstat.exe with command-line arguments.
Enrichment
  
The capability enriched netstat.exe with the correct ATT&CK technique (System Network Connections Discovery).
Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
Telemetry showing netstat.exe with command-line arguments (tainted by the parent "Powershell Execution Policy ByPass command ran" alert)

CrowdStrike
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was observed because netstat was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Telemetry
  
Telemetry within the OverWatch alert showed cmd.exe executing netstat with command-line arguments, and would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Email excerpt from the OverWatch team indicating netstat was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched netstat.exe executing as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing netstat with command-line arguments.
Telemetry showing cmd.exe executing netstat with command-line arguments

Endgame
Telemetry
  
Telemetry showed the process creation of netstat with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed)
  
 
The capability enriched the netstat command with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and  Tactic (Discovery). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery)

FireEye
Enrichment
  
The capability enriched netstat.exe with an alert for Netstat Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that netstat was a reconnaissance command used to enumerate active and listening network ports. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about netstat

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of cmd.exe executing netstat.exe with command-line arguments (tainted by the alert on suspicious process injection alert association with rundll32.exe).
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netstat.exe command not shown)

Palo Alto Networks
Telemetry
  
Telemetry showed cmd.exe executing netsh with command-line arguments.
Enrichment
  
The capability enriched netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery).
Enrichment of netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe running netstat.exe with command-line arguments.
Telemetry showing netstat.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
Specific Behavior
  
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping)

CounterTack
None
  
No detection capability demonstrated for this procedure, though a DDNA Scan alerted for svchost.exe and displayed details related to Project Injection. According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)

CrowdStrike
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for Credential Dumping, which indicated "a DLL was detected as being reflectively loaded in the callstack." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
Telemetry
  
Telemetry showing the lsass handle open and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
A General Behavior alert was generated by the OverWatch team indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a parent detection. OverWatch is the managed threat hunting service.
Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )

Cybereason
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe loading Mimikatz and accessing lsass (an audited system resource). The alert was also tagged with the correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection).
Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details about svchost.exe accessing lsass

Endgame
Specific Behavior
  
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping).
Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Enrichment (Tainted)
  
 
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated on credential memory access.
Process tree for sensitive credential memory read alert

Palo Alto Networks
Specific Behavior
  
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe to dump passwords. The alert was tagged with the correct ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior.
A Specific Behavior alert for a suspicious handle being opened to lsass.exe to dump password, tagged with the correct ATT&CK Technique (Credential Dumping)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.


Carbon Black
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection.
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe

CounterTack
General Behavior
  
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
General Behavior alert additional details on DDNA Scan for svchost.exe, including that it appears to inject code into another process

CrowdStrike
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), as well as an lsass process accessed (ProcessHollowingDetected).
Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events

Cybereason
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe reflectively loading a malicious executable, identified as Mimikatz, then accessing lsass. The alert was also tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation). The powerkatz.dll was also seen loaded as a floating executable code.
Data within alert showing loaded powerkatz.dll as floating executable code

Endgame
Telemetry
  
Telemetry showed privileged accesses (PROCESS_VM_READ and PROCESS_QUERY_LIMITED_INFORMATION) into lsass.exe.
Telemetry showing process accesses into lsass.exe

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection into lsass.exe.
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)

Palo Alto Networks
Specific Behavior
  
A Specific Behavior alert was generated for a suspicious handle being opened to lsass.exe. The alert was tagged with a related ATT&CK Technique (Credential Dumping). Vendor stated the capability would have prevented this behavior.
A Specific Behavior alert for a suspicious handle being opened to lsass.exe, tagged with a related ATT&CK Technique (Credential Dumping)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed an open handle to a thread into lsass.exe, which is indicative of process injection for credential dumping.
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed a thread create within lsass.exe from svchost.exe, which could be indicative of credential dumping. The telemetry was tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.
Telemetry showing thread create to lsass.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts)

CrowdStrike
Specific Behavior (Tainted)
  
 
A second Specific Behavior alert was generated for Credential Dumping, which indicated that "a remote thread in LSASS accessed credential registry keys." The alert was mapped to the correct ATT&CK Technique (Credential Dumping) and Tactic (Credential Access). The process tree view showed the alert as tainted by a parent detection.
Telemetry
  
Telemetry for the lsass remote thread and DLL loading would be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
General Behavior (Delayed, Tainted)
  
  
OverWatch also generated a General Behavior alert indicating the Credential Dumping activity was suspicious. The process tree view showed the alert as tainted by a previous detection. OverWatch is the managed threat hunting service.
Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe injecting into lsass.exe. The telemetry was tainted by the parent “injected (svchost.exe > lsass.exe)” alert. The hashdumpx64.dll was also seen loaded as a floating executable code. 
Telemetry within alert showing loaded hashdumpx64.dll as floating executable code

Endgame
Specific Behavior
  
A Specific Behavior alert was generated for the correct ATT&CK Technique (Credential Dumping).
Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Enrichment (Tainted)
  
 
The capability enriched data showing a svchost.exe process opening lsass.exe with a description that it was accessing credentials (tainted by parent process injection event that occurred from svchost.exe). Exploit Guard audited the process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. Vendor stated that Credential Guard can also mitigate this attack if enabled.
Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested functionality)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for svchost dumping credentials via the Registry. The alert was tagged with the correct ATT&CK Technique (Credential Dumping).
Specific Behavior alert for svchost dumping credentials via the Registry tagged with the correct ATT&CK Technique (Credential Dumping)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure. Vendor states that the capability would normally block credential dumping activity like this, but the mitigation capability was disabled due to the evaluation parameters.


Carbon Black
Telemetry
  
Telemetry showed a new thread and open handle into lsass.exe, which is indicative of process injection for credential dumping.
Specific Behavior
  
A Specific Behavior alert was generated showing the correct ATT&CK Technique (Credential Dumping).
Alert showing correct ATT&CK Technique (Process Injection) within process tree

CounterTack
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for process hijacking based on a thread create within lsass.exe from svchost.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.) The vendor noted Privilege Escalation is one of ten "Capabilities" that are part of the taxonomy.
General Behavior
  
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. The DDNA scan results showed that svchost.exe "appeared to inject code into another process." According to the vendor, DDNA scans trigger due to machine learning scanning in-memory code and identifying that the code is malicious. DDNA output, which is delayed, shows the process capabilities (known as "traits"), which may give an analyst clues on what the process does.
General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process

CrowdStrike
Enrichment
  
The capability enriched several event types with descriptions, including for a remote process opening a handle to lsass and a DLL being reflectively loaded (ReflectiveDllOpenLsass), malicious process hollowing (ProcessHollowingDetected), and a remote process injecting code into lsass (LsassInjectedCode).
Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events

Cybereason
Specific Behavior
  
A Specific Behavior alert was generated for svchost.exe injection into lsass.exe. The alert was mapped with the correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection). The hashdumpx64.dll was also seen loaded as a floating executable code.
Data within alert showing loaded hashdumpx64.dll as floating executable code

Endgame
Telemetry (Tainted)
  
 
Telemetry showed multiple privileged accesses (including PROCESS_CREATE_THREAD) into lsass, indicative of Process Injection (tainted by the Process Injection alert).
Specific Behavior
  
A Specific Behavior alert was generated for the correct ATT&CK Technique (Process Injection).
Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe accessing lsass.exe and dumping credentials (tainted by parent alert on sensitive credential memory read for the first credential dump). Exploit Guard audited process open and credential extraction event. Vendor stated the Exploit Guard audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode.
Specific Behavior (Delayed)
  
 
A Specific Behavior alert was generated for process injection into lsass.exe. The alert was rolled up under the prior lsass.exe process injection alert and the last activity seen field was updated.
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed a code injection into lsass.exe. The telemetry was tainted by a parent process injection alert on cmd.exe.
Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed powershell.exe injecting into svchost.exe (not counted for detection) then invoking a remote thread into lsass.exe. Powershell.exe was listed as the source of the remote thread into lsass.exe instead of svchost.exe because the alert on powershell.exe came before other events and therefore had increased precedence. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view)

Carbon Black
Telemetry
  
Telemetry showed a change in user execution context from Debbie to George between parent and child processes, which is indicative of token manipulation.
Telemetry showing child cmd.exe process running under user context George

CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
Telemetry
  
Telemetry showed the compromised process (21898821890) running as Debbie, then children from this process spawning first as Debbie and later as George. This could indicate theft of George's token within the context of the process.
Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe associated with both users Debbie and George, indicating user context change via token manipulation. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious.
Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer.exe)

Endgame
Specific Behavior
  
A Specific Behavior alert was generated for Privilege Escalation based on rundll32.exe as Debbie, spawning the process cmd.exe as George, which indicated a possible stolen token. The alert was mapped to the correct ATT&CK Technique (T1134 - Access Token Manipulation) and Tactics (Privilege Escalation, Defense Evasion).
Telemetry (Tainted)
  
 
Telemetry showed the users change in the parent-child processes of rundll32.exe and cmd.exe (tainted by the Privilege Escalation alert).
Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege Escalation alert)

FireEye
Telemetry
  
Telemetry showed a process (net.exe) executed during Step 4 as user Debbie and a subsequent process (reg.exe) executed during Step 6 as user George, indicating a change in user context from a stolen token.
Telemetry showing the user George executing reg.exe with command-line arguments during Step 6

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe as a high integrity process from SYSTEM and subsequent cmd.exe process running as user George (tainted by the parent alert on suspicious process injection into lsass.exe). Svchost.exe was executed with seclogon command-line argument indicating token manipulation.
Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (inner failure message in screenshot not relevant to tested functionality)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation. The telemetry was tainted by a parent process injection alert on cmd.exe.
Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation (tainted by a parent process injection alert on cmd.exe)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed cmd.exe executing reg.exe with command-line arguments.
Enrichment
  
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry).
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg.exe with command-line arguments. Telemetry also showed that two PIPEs were created as a result of reg.exe execution. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing PIPEs created (tainted by the parent "Powershell process created" alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the parent cmd.exe process.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the reg query command was suspicious. The alert was tainted by the parent cmd.exe process. OverWatch is the managed threat hunting service.
OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection by orange line indicating medium severity)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed reg.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Process Injection alert.
Event tree view of telemetry showing reg with command-line arguments (tainted by parent Process Injection alert)

FireEye
Enrichment
  
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). An alert was also generated for a File Write To Named Pipe (Weak Signal) for reg.exe.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified reg.exe as a reconnaissance command to enumerate a Registry key on the host Conficker to determine the configuration of its Windows Terminal Server service. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Excerpt from the Managed Defense Report with additional details about reg query

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence of reg.exe executing with command-line arguments. The telemetry was tainted by the relationship to prior rundll32.exe activity based on process injection alert context.
Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure message in screenshot not relevant to tested functionality)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent process injection alert on cmd.exe.
Enrichment (Tainted)
  
 
The capability enriched the execution of reg.exe as querying a remote key. The data was tainted by a parent process injection alert on cmd.exe.
Enrichment
  
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry).
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)

RSA
Telemetry
  
Telemetry showed cmd.exe executing reg.exe with command-line arguments.
Telemetry showing reg.exe with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)

Carbon Black
Telemetry
  
Telemetry showed network connections over TCP port 80 to 192.168.0.4 (C2 server).
Enrichment
  
The capability enriched the network connections from rundll32.exe with the correct ATT&CK Technique (T1043 - Commonly Used Port).
Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed an outbound network connection from rundll32.exe to 192.168.0.4 (C2 server) over TCP port 80. The telemetry was tainted by the parent "Sponsor Process Established Network Connection" alert.
Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent "Sponsor Process Established Network Connection" alert)

CrowdStrike
Telemetry
  
Telemetry showed a connection over TCP port 80 to 192.168.0.4 (C2 server).
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched rundll32.exe opening a connection to the C2 server over a "HTTP port" with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port). The data was tainted by a parent Injected Shellcode alert.
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe opening a connection over port 80. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner process)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed a TCP port 80 connection from rundll32.exe to 192.168.0.4 (C2 server). The telemetry was tainted by a parent Malicious File Detection alert.
Telemetry showing port 80 traffic (tainted by the parent Malicious File Detection alert)

FireEye
Telemetry
  
Telemetry showed a connection over port 80 to 192.168.0.4 (C2 server).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain).  Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for rundll32.exe opening a connection to 192.186.0.4 (C2 server) over port 80. The telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe.
Incident graph from "Unexpected process behavior" alert (resulting from rundll32.exe) showing tainted network connection

Palo Alto Networks
Telemetry
  
Telemetry showed port 80 command and control traffic. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Telemetry showing port 80 command and control traffic

RSA
Telemetry
  
Telemetry showed connections over TCP port 80 to freegoogleadsenseinfo.com (C2 domain).
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed a port 80 connection to 192.168.0.4 (C2 server) that was associated with the rundll32 parent process. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)

Carbon Black
Telemetry
  
Telemetry showed network connections over TCP port 80 as well as a modload showing winhttp.dll was loaded, which an analyst could use to determine HTTP was used.
Telemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol)

CounterTack
Telemetry
  
Telemetry showed an outbound HTTP request to www.freegoogleadsenseinfo.com (C2 domain).
Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain)

CrowdStrike
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to 192.168.0.4 (C2 server) on port 80 (no detection showed HTTP specifically).


Cybereason
Enrichment (Tainted)
  
 
The capability enriched rundll32.exe opening an unusual network connection to the C2 server over the port 80 "HTTP port.” The data was tagged with the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol), and also showed the amount of transmitted/received bytes as well as that the winhttp.dll module was loaded (which an analyst could use to determine HTTP was used). The data was tainted by a parent Injected Shellcode alert.
Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert)

Endgame
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).


FireEye
Telemetry
  
Telemetry showed HTTP GET requests over port 80 to 192.168.0.4 (C2 server).
General Behavior (Delayed)
  
 
The Managed Defense Report indicated a General Behavior occurred because it identified C2 communication over HTTP to www.freegoogleadsenseinfo.com (C2 domain). Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.  
Excerpt from the Managed Defense Report identifying C2 traffic communicating over HTTP to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)

Microsoft
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to port 80 (no detection showed HTTP specifically).


Palo Alto Networks
Telemetry
  
Telemetry showed port 80 command and control traffic as well as the loading of winhttp.dll, which an analyst could use to determine HTTP was used.
Telemetry showing port 80 command and control traffic as well as the loading of winhttp.dll

RSA
None
  
No detection capability demonstrated for this procedure, though telemetry showed a connection to TCP port 80 (no detection showed HTTP specifically).


Sentinel One
None
  
No detection capability demonstrated for this procedure. Telemetry showed a connection to port 80 (no detection showed HTTP specifically).


Carbon Black
Telemetry
  
Telemetry showed separate network connections over port TCP port 80 and UDP port 53, which could indicate multiband communication.
Telemetry showing network connection over UDP port 53

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed C2 traffic was over TCP port 80 as well as earlier traffic over DNS, which could indicate multiband communication. The HTTP telemetry over TCP port 80 was tainted by the parent "Sponsor Process Established Network Connection" alert.
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed connections over both DNS and TCP port 80, which could indicate multiband communication. The DNS connections were tainted by a parent Exfiltration alert.
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process.
Telemetry showing the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain) (tainted by a parent Injected Shellcode alert, listed as Owner process)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed connections over DNS as well as over port 80, which could indicate multiband communication. The telemetry was tainted by a parent Malicious File Detection alert.
Telemetry showing port 80 traffic (tainted by parent Malicious File Detection alert)

FireEye
Telemetry
  
Telemetry showed a combination of both DNS requests as well as HTTP requests, which could indicate multiband communication.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified C2 communication over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2 (Specific Behavior)

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed an execution sequence for rundll32.exe opening a connection to 192.168.0.4 (C2 server) over port 80, and prior activity showed DNS traffic to the same C2 IP address, which could indicate multiband communication. The port 80 telemetry was tainted by the relationship to the previous alert on unexpected behavior originating from rundll32.exe. 
Telemetry showing DNS traffic to C2 domain

Palo Alto Networks
Telemetry
  
Telemetry showed command and control traffic for both ports 80 and 53 .
Telemetry showing ports 80 and 53 command and control traffic

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed port 80 connections to 192.168.0.4 (C2 server) and DNS requests for freegoogleadsenseinfo.com (C2 domain), which could indicate multiband communication. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID)

Carbon Black
Telemetry
  
Telemetry showed a connection to 10.0.0.5 (Conficker) over TCP port 3389 as well as rdpclip.exe executing.
Enrichment
  
The capability enriched the rdpclip.exe events with the correct ATT&CK Technique (Remote Desktop Protocol).
Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability showed cmd.exe creating an outbound TCP port 3389 (RDP) connection from Nimda and enriched the connection with the conditions Lateral Movement and Remote Share Access. The enrichment was tainted by the parent "Windows command prompt invoked" alert. At least one condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Telemetry
  
Telemetry also identified an inbound connection to Conficker over TCP port 3389.
Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker)

CrowdStrike
Telemetry
  
Telemetry showed a connection for logon type 10 (interactive logon) and a connection to 10.0.0.5 (Conficker) over TCP port 3389.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior was observed because they identified suspicious communications over port 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type. The telemetry was tainted by a parent Injected Shellcode alert listed as the owner process Telemetry also showed rdpclip.exe executing on 10.0.0.5 (Conficker).
Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker)

Endgame
Telemetry (Tainted)
  
 
Telemetry showed a connection over port 3389 to 10.0.0.5 (Conficker) as well as a Type 10 (interactive remote) login event by user George on Conficker. The port 3389 telemetry was tainted by a parent Process Injection alert.
Telemetry showing Type 10 (interactive remote) login event by user George on Conficker

FireEye
Enrichment
  
The capability enriched the RDP connection from rundll32.exe with an alert for RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)

Microsoft
Telemetry
  
Telemetry showed the execution sequence for cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). Logon activity over the last 30 days on Conficker shows George with a logon type 10 RemoteInteractive logon event. Telemetry also showed George logged into Conficker and displayed a movement graph of activity from user account Debbie to George.
Graph showing movement from Debbie account to George

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker). The telemetry was tainted by a parent process injection alert on cmd.exe.
General Behavior (Tainted)
  
 
A General Behavior alert was generated for an unexpected process using the RDP port. The data was tainted by a parent process injection alert on cmd.exe.
General Behavior alert for an unexpected process using the RDP port (tainted by a parent process injection alert on cmd.exe)

RSA
Telemetry
  
Telemetry showed cmd.exe connecting to 10.0.0.5 (Conficker) over port 3389.
Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker)

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed a port 3389 connection. The telemetry was tainted by the activity seen during the privilege escalation step because it was associated with the same story (Group ID).
Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID)

Carbon Black
Telemetry
  
Telemetry showed Registry modification events related to the creation of the user account Jesse.
Enrichment (Configuration Change)
  
 
The capability enriched lsass.exe with the tag "Create Accounts using GUI". The enrichment was added as a configuration change during the action and was not part of the original set of detections when the evaluation started.
Enrichment of lsass.exe with tag "Create Accounts using GUI"

CounterTack
Specific Behavior (Configuration Change)
  
 
A Specific Behavior alert named "New user account created" was generated based on the Registry change identifying that the new user Jesse was created. A child event of the alert indicated that the account had been added to the local admins group (but did not identify the account creation specifically). This alert was added to the capability's detection after the start of the evaluation, so the detection is identified as a configuration change. See Configuration page for details.
Child event of Specific Behavior alert showing new account added to local admins group

CrowdStrike
Telemetry
  
Telemetry showed the creation of the user Jesse and the user being added to the domain admin group.
Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), which are well-known security identifiers

Cybereason
Telemetry
  
Telemetry showed lsass.exe creating a Registry key for user Jesse, indicating that the user is new.
Telemetry showing lsass.exe creating a Registry key for user Jesse

Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
Telemetry
  
Telemetry from Conficker showed the creation of the new user Jesse.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the creation of a local user account for Jesse on Conficker. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior)

Microsoft
Telemetry (Configuration Change)
  
 
Telemetry showed data for account Jesse creation after configuration change to enable collection of event ID 4720. Visibility of account creation data was verified in retesting at the end of the evaluation after vendor adjusted data collection configuration and visibility of account creation.
Telemetry showing creation of user account Jesse

Palo Alto Networks
Telemetry
  
Telemetry showed mmc.exe creating a Registry key for user Jesse, indicating that the user is new.
Enrichment
  
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account).
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry
  
Telemetry showed the creation of the user Jesse which was noted from SAM Registry events.
Telemetry showing creation of user account Jesse

Carbon Black
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lusrmgr.msc

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in) (tainted by the parent "LSA Registry Key modified" alert).
Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent "LSA Registry Key modified" alert)

CrowdStrike
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lursmgr.msc

Cybereason
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing lusrmgr.msc running from mmc.exe

Endgame
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lursmgr.msc

FireEye
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe spawning lusrmgr.exe

Microsoft
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Telemetry showing mmc.exe running lusrmgr.msc

Palo Alto Networks
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Enrichment
  
The capability enriched the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface).
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. The telemetry was tainted by the parent "LSA Registry Key modified" alert.
Telemetry showing mmc.exe running lusrmgr.msc (tainted by the parent "LSA Registry Key modified" alert) 

CrowdStrike
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lursmgr.msc

Cybereason
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing lusrmgr.msc running from mmc.exe

Endgame
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc

FireEye
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in), which displays local account information.
Telemetry showing mmc.exe running lusrmgr.exe

Microsoft
Telemetry
  
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information.
Telemetry showing mmc.exe running lusrmgr.msc

Palo Alto Networks
Telemetry
  
Telemetry showed mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in).
Enrichment
  
The capability enriched mmc.exe, the Microsoft Management Console, executing the GUI-based lusrmgr.msc (Local Users and Groups snap-in) as reconnaissance via the MMC utility with local users and groups view.
Enrichment of mmc.exe as reconnaissance via the MMC utility with local users and groups view

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed file modification events indicating updater.dll being created and written to disk.
Telemetry showing updater.dll written to disk

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed creation of updater.dll. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing creation of updater.dll (tainted by the parent "Powershell process created" alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed the file write for updater.dll into the system32 folder by user George. The telemetry was tainted by the parent "unexpected process" alert.
Additional telemetry showing file write for updater.dll

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed the creation of updater.dll. Telemetry was tainted by a parent alert on cmd.exe (listed as the owner process) generated based on updater.dll being detected as known malware.
Parent alert for updater.dll being detected as known malware

Endgame
Telemetry (Tainted)
  
 
Telemetry showed the creation of updater.dll (tainted by the parent Malicious File Detection). 
Telemetry showing creation of updater.dll (tainted by parent Malicious File Detection alert)

FireEye
Enrichment
  
The capability enriched updater.dll being written by cmd.exe with an alert for CMD File Write (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1105 - Remote File Copy) and a related ATT&CK Technique (T1059 - Command-Line Interface) and Tactic (Execution). 
Telemetry (Tainted)
  
 
Telemetry showed the file write for updater.dll into the system32 folder. The telemetry was tainted by the parent AV signature alert for updater.dll.
Telemetry showing updater.dll file write (tainted by parent AV signature alert)

Microsoft
Telemetry
  
Telemetry showed cmd.exe writing updater.dll to disk.
Telemetry showing file write of updater.dll

Palo Alto Networks
Telemetry
  
Telemetry showed the file create event for updater.dll.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a script engine creating/writing a DLL in the system32 folder. The alert was tainted by a parent process injection alert on cmd.exe.
Specific Behavior
  
A Specific Behavior alert was generated for a Windows scripting engine creating an executable on disk.
Specific Behavior alert for a Windows scripting engine creating an executable on disk

RSA
Telemetry
  
Telemetry showed file write of updater.dll.
Telemetry showing file write event of updater.dll

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed file write of updater.dll. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing file write of updater.dll (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed the process tree containing schtasks.exe as well as the full command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated mapped to the correct ATT&CK Technique (T1053 - Scheduled Task).
Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task)

CounterTack
Specific Behavior
  
A Specific Behavior alert called "Schtasks with create command" was generated due to a schtasks.exe process create from cmd.exe.
Telemetry
  
Telemetry within the Schtasks alert showed a process creation of schtasks.exe from cmd.exe, and would be available in a separate view. For this alert, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance.
Specific Behavior alert on "Schtasks with create command" for schtasks.exe run from cmd.exe

CrowdStrike
Telemetry
  
Telemetry showed the creation of the scheduled task.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating the creation of the scheduled task was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service.
Specific Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a Specific Behavior was observed because a scheduled task was created for persistence. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior)

Cybereason
Enrichment
  
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The data was also mapped to the correct ATT&CK Tactic (Persistence).
Telemetry
  
Telemetry showed the Resume Viewer Update Checker scheduled task.
Telemetry showing the Resume Viewer Update Checker scheduled task

Endgame
Enrichment
  
The capability enriched data from a hunt for persistence via scheduled task, which showed the "Resume Viewer Update Checker" scheduled task.
Telemetry (Tainted)
  
 
Telemetry showing creation of the scheduled task data was also visible in a event tree (tainted by parent Malicious File Detection alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched the event tree with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert for "Persistence-Scheduled Task Creation" was generated (tainted by parent Malicious File Detection alert).  The alert was also mapped to the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence).
Specific Behavior alert for scheduled task creation mapped to correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert)

FireEye
Enrichment
  
The capability enriched schtasks.exe with an alert for Scheduled Task Activity (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1053 - Scheduled Task) and Tactics (Execution, Persistence, and Privilege Escalation).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that updater.dll persisted through the creation of a scheduled task. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report with additional details about schtask

Microsoft
Telemetry
  
Telemetry showed cmd.exe registering the "Resume Viewer Update Checker" scheduled task.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated on a low-reputation DLL persisting through a scheduled task.
Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed schtasks.exe creating the Resume Viewer Update Checker scheduled task as reboot persistence and as SYSTEM. The telemetry was tainted by a parent process injection alert on cmd.exe.
Specific Behavior (Tainted)
  
 
A Specific Behavior alert was generated for a commonly abused host process scheduling a task. The alert was tainted by a parent process injection alert on cmd.exe. Vendor stated the capability would have prevented the creation of the scheduled task.
Enrichment
  
The capability enriched schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task).
Enrichment of schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task)

RSA
Telemetry
  
Telemetry showed the execution of schtasks.exe as well as the full command-line arguments.
Telemetry showing the schtask.exe and command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed execution of schtasks.exe and associated command-line arguments. The activity seen during the initial compromise step tainted the event because it was associated with the same story (Group ID).
Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed cmd.exe executing dir with command-line arguments.
Enrichment
  
The capability enriched cmd.exe with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
Enrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed that svchost.exe created cmd.exe, which executed dir. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing dir with command-line arguments (tainted by the parent "Powershell process created" alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe running dir. The process tree view showed the cmd.exe process that ran dir as tainted by a prior detection.
Process tree view showing cmd.exe that ran dir (dir not specifically shown, cmd.exe is second from top and tainted by previous detection by orange line indicating medium severity)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing dir with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing dir with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.  
Enriched event tree showing enrichment of dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)

FireEye
Enrichment
  
The capability enriched cmd.exe executing dir with an alert for Dir Command (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery)

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for cmd.exe executing dir with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
Process tree view of rundll32.exe "Unexpected behavior from process run with no command-line arguments" alert that tainted dir (dir command not shown)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing dir with command-line arguments as the execution of the dir command on a network location. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment of cmd.exe executing dir with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe executing dir with command-line arguments.
Telemetry showing cmd.exe executing dir with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing dir with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story)

Carbon Black
Telemetry
  
Telemetry showed cmd.exe executing tree.com with command-line arguments.
Enrichment
  
The capability enriched tree.com with the correct ATT&CK Technique (T1083 - File and Directory Discovery).
Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery)

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed that svchost.exe created cmd.exe, which executed tree with command-line arguments. The telemetry was tainted by the parent "Powershell process created" alert.
Telemetry showing tree with command-line arguments (tainted by the parent "Powershell process created" alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe running tree with command-line arguments. The process tree view also showed the cmd.exe that was the parent for tree.com as tainted by a prior detection.
General Behavior (Delayed, Tainted)
  
  
OverWatch generated a General Behavior alert indicating tree.com was suspicious. The process tree view showed the alert as tainted by a previous cmd.exe detection. OverWatch is the managed threat hunting service.
General Behavior (Delayed)
  
 
The OverWatch team also sent an email indicating a General Behavior was identified because tree was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating tree was a reconnaissance command (General Behavior)

Cybereason
Enrichment (Tainted)
  
 
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery). The data was tainted by a parent Injected Shellcode alert.
Telemetry
  
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry behind each enrichment is separately available in the capability. This is counted as a separate detection because the functionality was showed to MITRE throughout the evaluation, though a screenshot was not taken in this instance.
Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry (Tainted)
  
 
Telemetry within an event tree (tainted by a parent Malicious File Detection) showed cmd.exe executing tree with command-line arguments. Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enrichment (Delayed, Tainted)
  
  
The capability enriched tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery). The enrichment was also tainted by a parent Malicious File Detection). Telemetry is immediately available within the event tree and then can be enriched with ATT&CK Techniques and Tactics, so this is counted as two detections.
Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)

FireEye
Enrichment
  
The capability enriched cmd.exe executing tree with an alert for Tree Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker performed a directory listing of the contents of Debbie's user profile directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from Managed Defense Report showing additional details about tree

Microsoft
Telemetry (Tainted)
  
 
Telemetry showed the execution sequence for cmd.exe executing tree.com with command-line arguments. The telemetry was tainted by a prior alert on rundll32.exe being executed without command-line arguments.
Process tree view of rundll32.exe "Unexpected behavior from process run with no command-line arguments" alert that tainted tree (tree command not shown)

Palo Alto Networks
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine.
Enrichment
  
The capability enriched cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery).
Enrichment of cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)

RSA
Telemetry
  
Telemetry showed cmd.exe executing tree with command-line arguments.
Telemetry showing cmd.exe executing tree with command-line arguments

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed cmd.exe executing tree with command-line arguments. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure.


Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
Enrichment (Tainted)
  
 
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame.
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
None
  
No detection capability demonstrated for this procedure. The vendor indicated that CB Defense sees applicable API calls, but that product was not included in the evaluation.


CounterTack
None
  
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe in explorer.exe. The vendor noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan from the Command-Line Interface (CLI) view by using the Process ID (PID).
DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection)

CrowdStrike
None
  
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect input capture specifically).
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)

Cybereason
None
  
No detection capability was available, though an alert was generated based on a chain of injections caused by process injection of powershell.exe to cmd.exe then explorer.exe. Data within the alert showed the loaded keyloggerx64.dll module, and additional data showed the memory address and size of the module within explorer.exe.
Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection)

Endgame
None
  
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate keylogging, but no proof of execution was identified.
Strings output extracted from Process Injection alert, showing key definitions typically associated with a keylogger, but no evidence of execution (does not count as a detection)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Telemetry (Configuration Change)
  
 
Telemetry showed events indicating "explorer.exe is reading user keystrokes." The vendor stated that Input Capture telemetry is captured but it was not immediately visible in the user portal. The vendor made changes to the portal during the test to enable the visibility of these events. Telemetry also showed cmd.exe injecting into explorer.exe to facilitate the keylogging, but this did not identify input capture specifically so was not counted as a detection.
Specific Behavior (Delayed)
  
 
A delayed Specific Behavior alert was generated on "Possible keylogging activity" against explorer.exe.
Specific Behavior alert for "Possible keylogging activity" against explorer.exe

Palo Alto Networks
Enrichment
  
The capability enriched the execution of a specific API call as keylogging and suspicious activity. Though it does not count as a detection, the capability also showed code and hook injections into explorer.exe.
Telemetry showing hook injection from explorer.exe (does not count as a detection)

RSA
None
  
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe the keylogger aggressor script, but this only showed that there is a potential capability of a keylogger, not that execution occurred.
Floating Code module output showing keylogger key definitions (does not count as a detection)

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed GetAsyncKeyStateApi, which was indicative of keylogging. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID). Vendor stated log files indicate the powershell process was using the SSL cache folder.
Telemetry showing process injection into explorer.exe (does not count as a detection)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure.


Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
None
  
No detection capability demonstrated for this procedure.


RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
None
  
No detection capability demonstrated for this procedure, though modloads showed the thumbnail com object masquerading followed by a modload of dwmapi.dll (Microsoft Desktop Windows Manager API) and then a crossprocess (open process) to the target application, which could be indicative of screen capture behavior.
Telemetry showing modloads and crossprocess events (does not count as a detection)

CounterTack
None
  
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe into explorer.exe. The vendor also noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan. DDNA results on this process reported "This module may capture screen shots," indicating the module has the capability to perform this.
DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was manually initiated)

CrowdStrike
None
  
No detection capability demonstrated for this procedure, though telemetry showed explorer.exe injecting from a known beacon (does not detect screen capture specifically).
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)

Cybereason
None
  
No detection capability was available, though an alert was generated based on explorer.exe being flagged for loading a Meterpreter Agent. Data within a previous process injection alert showed the loaded screenshotx64.dll module.
Alert showing loaded screenshotx64.dll module (does not count as a detection)

Endgame
None
  
No detection capability demonstrated for this procedure, though strings were pulled from a Process Injection alert, which identified functionality of code to indicate screen capture, but no proof of execution was identified.
Strings output extracted from Process Injection alert, showing BitBlt and CreateCompatibleBitmap that could be associated with screen capture, but no evidence of execution (does not count as a detection)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Enrichment (Configuration Change)
  
 
The capability enriched an explorer.exe process with ScreenshotTaken. The vendor stated that screen capture telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events, so this detection is identified as a configuration change.
Enrichment of explorer.exe with ScreenshotTaken

Palo Alto Networks
Enrichment
  
The capability enriched the execution of a specific API call as information gathering using screen capture and suspicious activity.
Enrichment of the execution of a specific API call using screen capture and suspicious activity

RSA
None
  
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. An analyst could explore the module and observe multiple components related to jpegs, which may be related to screenshots, but does not show that execution occurred.
Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection)

Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry showed a cross-process "open handle" event into explorer.exe, which could be indicative of process injection.
Telemetry showing "open handle" crossproc on explorer.exe by the process

CounterTack
Telemetry
  
Telemetry showed a remote thread being created from cmd.exe into explorer.exe, which could be indicative of process injection.
Telemetry showing remote thread being created into explorer.exe

CrowdStrike
Telemetry
  
Telemetry showed InjectedThread events for explorer.exe (pid=21776848613) injecting from cmd.exe (pid=21898821890), which is a known beacon.
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890)

Cybereason
Specific Behavior
  
A Specific Behavior alert was generated based on a malicious code injection caused by process injection of explorer.exe. The alert was mapped with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) and indicated that explorer.exe was hosting injected threads and loading malicious files.
Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)

Endgame
Specific Behavior (Tainted)
  
 
A Specific Behavior alert for process injection was generated with cmd.exe as the source. The alert was tainted by parent Malicious File Detection and process injection alerts, and was also labeled with the correct ATT&CK Technique (T1055 - Process Injection) and Tactics (Defense Evasion and Execution).
Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious File Detection and process injection alerts and labeled with the correct ATT&CK Technique, Process Injection, and Tactics, Defense Evasion and Execution)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
Enrichment
  
The capability enriched the execution sequence for cmd.exe injecting into explorer.exe with the label "Inject to process."
Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled "Inject to process")

Palo Alto Networks
Enrichment
  
The capability enriched cmd.exe injecting into explorer.exe as code injection via CreateThread.
Enrichment of cmd.exe injecting into explorer.exe as code injection via CreateThread

RSA
None
  
No detection capability demonstrated for this procedure, though a floating code "IIOC" module alerted with a elevated risk score for DLL injection. There was no telemetry available for the processes that were injected to verify its relation this procedure.
Floating Code module generated from DLL injection showing introspection into the module's characteristics (does not count as a detection)

Sentinel One
Telemetry (Tainted)
  
 
Telemetry showed the sequence of events related to process injection from powershell.exe into explorer.exe. The capability associated the process with the highest threat to the event (powershell.exe) instead of cmd.exe (the expected source of the injection) because it had an alert associated with it previously. The telemetry was tainted by the activity seen during the initial compromise step because it was associated with the same story (Group ID).
Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view)

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure.


Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
None
  
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.


RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)

Endgame
None
  
No detection capability demonstrated for this procedure, though file creation telemetry showed that the .vsdx file was created (no indication it was created from a shared drive).
Telemetry showing .vsdx file creation, but no indication of network shared drive (does not count as a detection)

FireEye
None
  
No detection capability demonstrated for this procedure.


Microsoft
None
  
No detection capability demonstrated for this procedure. The vendor stated that by default WDATP monitored activities around all the most used documents (doc, xls, ppt pdf, etc) at the time of the evaluation. Subsequently, the vendor made changes to enable the visibility of .vsdx events by default, which is now available in WDATP.


Palo Alto Networks
Telemetry
  
Telemetry showed a file read event for the .vsdx file from the network shared drive. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Telemetry showing a file read event for the .vsdx file from the network shared drive

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry
  
Telemetry showed remote file access behavior for the .vsdx file from the network shared drive.
Telemetry showing .vsdx file access from WormShare on the network shared drive

Carbon Black
None
  
No detection capability demonstrated for this procedure.


CounterTack
None
  
No detection capability demonstrated for this procedure.


CrowdStrike
None
  
No detection capability demonstrated for this procedure.


Cybereason
None
  
No detection capability demonstrated for this procedure, though telemetry showed connection between Nimda (10.0.1.6) and the source of the file, Conficker (10.0.0.5), over port 445.
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)

Endgame
None
  
No detection capability demonstrated for this procedure.


FireEye
None
  
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed.
DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)

Microsoft
None
  
No detection capability demonstrated for this procedure.


Palo Alto Networks
None
  
No detection capability demonstrated for this procedure, though port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) was observed. Vendor stated that more information would be available if their firewall appliance was installed and activated.
Port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
None
  
No detection capability demonstrated for this procedure.


Carbon Black
Telemetry
  
Telemetry within the process tree showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder

CounterTack
Telemetry
  
Telemetry showed cmd.exe starting rundll32.exe, which started update.dat, as well as cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup 

CrowdStrike
Telemetry
  
Telemetry showed cmd.exe running autoupdate.bat from the Startup folder.
Telemetry showing cmd.exe running autoupdate.bat from Startup folder

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing autoupdate.bat from the Startup folder. The telemetry was tainted by a parent Injected Shellcode alert.
Parent alert for Injected shellcode into rundll32.exe

Endgame
Telemetry (Tainted)
  
 
Telemetry showed the process chain for rundll32.exe execution of update.dat. The telemetry was tainted by the parent alert for "RunDLL32 with Suspicious DLL Location."
Telemetry showing rundll32.exe executing update.dat (tainted by parent "RunDLL32 with Suspicious DLL Location" alert)

FireEye
Enrichment
  
The capability enriched cmd.exe executing a file from Startup with an alert for Process Execution Startup. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Startup Folder) and Tactic (Persistence).
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dll with command-line arguments. The telemetry was tainted by the parent alert for Rundll32 Execution (Weak Signal).
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that autoupdate.bat persisted due to its presence in the startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed the execution sequence of cmd.exe executing autoupdate.bat from the Startup folder to start update.dat.
Telemetry showing Startup folder execution sequence for autoupdate.bat on user logon

Palo Alto Networks
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder

RSA
Telemetry
  
Telemetry showed cmd.exe executing autoupdate.bat from the Startup folder.
Telemetry showing the execution of autoupdate.bat from the Startup Folder

Sentinel One
Telemetry
  
Telemetry showed execution of autoupdate.bat from the Startup folder for persistence. The telemetry was associated to a new story (Group ID) but was not marked as malicious or tainted because it is not associated with an alert.
Group ID query showing both autoupdate.bat and updater.dll persistence execution

Carbon Black
Telemetry
  
Telemetry within the process tree showed rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry from process tree showing updater.dll executed by rundll32.exe

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent "Sponsor process started V2" alert.
Telemetry showing svchost.exe executing rundll32.exe (tainted by parent "Sponsor process started V2" alert)

CrowdStrike
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe starting updater.dll. The telemetry was tainted by the parent OverWatch alert.
Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert.
Parent alert for Injected shellcode into rundll32.exe

Endgame
Telemetry (Tainted)
  
 
Telemetry within the event tree showed rundll32.exe executing updater.dll. The telemetry was tainted by a Malicious File Detection alert for updater.dll and a Process Injection alert.
Telemetry showing rundll32.exe executing updater.dll (tainted by Process Injection alert)

FireEye
Telemetry (Tainted)
  
 
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent Rundll32 Execution alert, which was tagged with a related ATT&CK Technique (T1085 - Rundll32) and Tactic (Defense Evasion, Execution), but did not include information on the use of a Scheduled Task specifically.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the Resume Viewer Update Checker scheduled task executing updater.dll with rundll32.exe. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll32.exe (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with "-k netsvcs -p -s Schedule" arguments

Palo Alto Networks
Telemetry
  
Telemetry showed the execution sequence for rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule".
Telemetry showing rundll32.exe executing updater.dll

RSA
Telemetry
  
Telemetry showed rundll32.exe executing updater.dll.
Telemetry showing rundll32.exe executing updater.dll

Sentinel One
Telemetry
  
Telemetry showed rundll32.exe executing updater.dll as part of the scheduled task persistence. The telemetry was associated with the execution of autoupdate.bat for persistence because it was associated with the same story (Group ID) but is not marked as malicious or tainted because it is not associated with an alert.
Group ID query showing both autoupdate.bat and updater.dll persistence execution

Carbon Black
Telemetry
  
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
Enrichment
  
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)

CounterTack
Telemetry
  
Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists.
Telemetry showing explorer.exe running as Jesse

CrowdStrike
Telemetry
  
Telemetry showed a type 10 (interactive) UserLogon event for Jesse.
Telemetry showing user logon by Jesse to Conficker

Cybereason
Telemetry
  
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type.
Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type

Endgame
Telemetry (Tainted)
  
 
Telemetry showed that the userinit.exe process was running as the user Jesse, indicating Jesse logged in. The telemetry was tainted by the parent "Start Folder Persistence" alert.
Telemetry showing userinit.exe running as Jesse (tainted by parent "Start Folder Persistence" alert)

FireEye
Telemetry
  
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the account Jesse was used to log in to Conficker as part of Lateral Movement. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed the new local user account Jesse logging into Conficker.
Telemetry showing local user account Jesse first and last seen logons on Conficker

Palo Alto Networks
Telemetry
  
Telemetry showed userinit.exe as well as explorer.exe spawn as the user Jesse.
Telemetry showing userinit.exe as well as explorer.exe spawn as the user Jesse

RSA
Telemetry
  
Telemetry showed "unregmp2.exe /FirstLogon" (associated with user logon) as well as the user name "Jesse J" within Machine Properties.
Telemetry showing user name "Jesse J" within Machine Properties

Sentinel One
Telemetry
  
Telemetry showed the Jesse account had logged into the system.
Telemetry showing last logged on user identified as Jesse

Carbon Black
Telemetry
  
Telemetry within the process tree showed rdpclip.exe execution by the user Jesse on the destination system of the RDP connection.
Enrichment
  
The capability enriched rdpclip.exe with the correct ATT&CK Technique (Remote Desktop Protocol).
Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)

CounterTack
Enrichment (Configuration Change, Tainted)
  
  
The capability enriched a TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with the conditions Lateral Movement and Remote Share Access. One connection event was tainted by the parent "Windows command prompt invoked" alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details.
Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (tainted by the parent "Windows command prompt invoked" alert)

CrowdStrike
Telemetry
  
Telemetry showed the remote connection to Conficker for a user logon by Jesse with type 10 (interactive) as well as the use of rdpclip.exe by the logged-on user.
General Behavior (Delayed)
  
 
The OverWatch team sent an email indicating a General Behavior occurred because they observed suspicious communications over 3389 (RDP) to other hosts. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident.
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)

Cybereason
Telemetry (Tainted)
  
 
Telemetry showed the logon session for Jesse to Conficker (10.0.0.5) as a Remote Interactive Logon Type. Telemetry also showed a connection over port 3389 to Conficker (10.0.0.5) through rundll32.exe serving as a proxy. The telemetry was tainted by a parent Injected Shellcode alert.
Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (tainted by a parent Injected Shellcode alert)

Endgame
Telemetry
  
Telemetry showed a Type 10 logon event (corresponding to interactive) for Jesse as well remote connections over port 3389 to 10.0.0.5 (Conficker).
Telemetry showing remote connections over port 3389 to 10.0.0.5 (Conficker)

FireEye
Enrichment
  
The capability enriched a TCP port 3389 connection to 10.0.0.5 (Conficker) with the alert RDP Network Connection (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1076 - Remote Desktop Protocol) and Tactic (Lateral Movement).
Telemetry
  
Telemetry showed a Logon Type 10 (interactive) event for the account Jesse logging on to Conficker.
Specific Behavior (Delayed)
  
 
The Managed Defense Report indicated a Specific Behavior occurred because it identified the user account Jesse logged on to Conficker via Remote Desktop Protocol. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident.
Excerpt from Managed Defense Report indicating account Jesse was used to logon via Remote Desktop Protocol (Specific Behavior)

Microsoft
Telemetry
  
Telemetry showed a successful connection to Conficker (10.0.0.5) over port 3389 from rundll32.exe.
Telemetry showing successful port 3389 connection to Conficker (10.0.0.5)

Palo Alto Networks
Telemetry
  
Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389.
Enrichment
  
The capability enriched the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol).
Enrichment of the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol)

RSA
None
  
No detection capability demonstrated for this procedure.


Sentinel One
Telemetry (Tainted)
  
 
Telemetry from Nimda showed a TCP port 3389 connection from 10.0.1.6 (Nimda) to 10.0.0.5 (Conficker). The rundll32.exe process (PID 184) that was used to load updater.dll was used to proxy the RDP connection to Conficker. The telemetry was tainted by the activity generated during the privilege escalation step because it was associated with the same story (Group ID). 
Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID)

Carbon Black
Enrichment
  
The capability enriched wscript.exe and powershell.exe with the correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell).
Telemetry
  
Telemetry of a process tree showed powershell.exe execution, including full command-line arguments.
Specific Behavior
  
A Specific Behavior alert was generated indicating that powershell.exe was executed with encoded command-line arguments. 
Specific Behavior alerts for Powershell scripting

CounterTack
Telemetry (Tainted)
  
 
Telemetry showed wscript.exe executing autoupdate.vbs and that wscript.exe created a powershell.exe process, including the encoded command-line arguments (tainted by the parent Script File Created alert). Vendor modified configurations between scenario one and two, but MITRE assesses the change did not significantly affect results for this detection. See Configuration page for details.
Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert)

CrowdStrike
Specific Behavior
  
A Specific Behavior alert was generated indicating "A PowerShell script launched that shares characteristics with known PowerShell exploit kits."
General Behavior (Delayed)
  
 
A General Behavior alert was generated from OverWatch indicating wscript.exe executing launcher.vbs was suspicious. OverWatch is the managed threat hunting service.
Telemetry