Home   >   Technique Comparison Tool
Operational Flow The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.
1.A.1 - User Execution
1.A.1 - Rundll32
1.A.1 - Scripting
1.B.1 - Registry Run Keys / Startup Folder
1.C.1 - Commonly Used Port
1.C.1 - Standard Application Layer Protocol
1.C.1 - Data Encoding
2.A.1 - System Network Configuration Discovery
2.A.2 - System Network Configuration Discovery
2.B.1 - System Owner/User Discovery
2.C.1 - Process Discovery
2.C.2 - Process Discovery
2.D.1 - System Service Discovery
2.D.2 - System Service Discovery
2.E.1 - System Information Discovery
2.E.2 - System Information Discovery
2.F.1 - Permission Groups Discovery
2.F.2 - Permission Groups Discovery
2.F.3 - Permission Groups Discovery
2.G.1 - Account Discovery
2.G.2 - Account Discovery
2.H.1 - Query Registry
3.A.1 - Bypass User Account Control
3.A.1 - Access Token Manipulation
3.B.1 - Process Discovery
3.C.1 - Process Injection
4.A.1 - Remote System Discovery
4.A.2 - Remote System Discovery
4.B.1 - System Network Configuration Discovery
4.C.1 - System Network Connections Discovery
5.A.1 - Credential Dumping
5.A.1 - Process Injection
5.A.2 - Credential Dumping
5.A.2 - Process Injection
5.B.1 - Access Token Manipulation
6.A.1 - Query Registry
6.B.1 - Commonly Used Port
6.B.1 - Standard Application Layer Protocol
6.B.1 - Multiband Communication
6.C.1 - Remote Desktop Protocol
7.A.1 - Create Account
7.A.1 - Graphical User Interface
7.A.1 - Account Discovery
7.B.1 - Remote File Copy
7.C.1 - Scheduled Task
8.A.1 - File and Directory Discovery
8.A.2 - File and Directory Discovery
8.B.1 - Process Discovery
8.C.1 - Input Capture
8.C.1 - Application Window Discovery
8.D.1 - Screen Capture
8.D.1 - Process Injection
9.A.1 - File and Directory Discovery
9.B.1 - Data from Network Shared Drive
9.B.1 - Exfiltration Over Command and Control Channel
10.A.1 - Registry Run Keys / Startup Folder
10.A.2 - Scheduled Task
10.B.1 - Valid Accounts
10.B.1 - Remote Desktop Protocol
11.A.1 - Scripting
11.B.1 - Commonly Used Port
11.B.1 - Standard Application Layer Protocol
11.B.1 - Standard Cryptographic Protocol
12.A.1 - System Network Configuration Discovery
12.A.2 - System Network Configuration Discovery
12.B.1 - System Owner/User Discovery
12.C.1 - Process Discovery
12.D.1 - System Service Discovery
12.E.1 - Scripting
12.E.1.1 - System Owner/User Discovery
12.E.1.2 - Permission Groups Discovery
12.E.1.3 - Password Policy Discovery
12.E.1.4.1 - File and Directory Discovery
12.E.1.4.2 - File and Directory Discovery
12.E.1.5 - Clipboard Data
12.E.1.6.1 - System Information Discovery
12.E.1.6.2 - System Information Discovery
12.E.1.7 - Query Registry
12.E.1.8 - System Service Discovery
12.E.1.9.1 - Network Share Discovery
12.E.1.9.2 - Network Share Discovery
12.E.1.10.1 - Security Software Discovery
12.E.1.10.2 - Security Software Discovery
12.E.1.11 - System Network Configuration Discovery
12.E.1.12 - System Network Connections Discovery
12.F.1 - Permission Groups Discovery
12.F.2 - Permission Groups Discovery
12.G.1 - Account Discovery
12.G.2 - Account Discovery
13.A.1 - Remote System Discovery
13.B.1 - System Network Connections Discovery
13.B.2 - System Network Connections Discovery
13.C.1 - Query Registry
14.A.1 - Bypass User Account Control
14.A.1 - Remote File Copy
14.A.1 - Standard Application Layer Protocol
14.A.1 - Commonly Used Port
15.A.1 - Input Capture
15.A.1 - Application Window Discovery
15.B.1 - Credentials in Files
16.A.1 - Brute Force
16.A.1 - Windows Admin Shares
16.B.1 - Valid Accounts
16.B.1 - Windows Admin Shares
16.B.1 - Brute Force
16.C.1 - Network Share Connection Removal
16.D.1 - Windows Admin Shares
16.D.1 - Valid Accounts
16.E.1 - Remote File Copy
16.F.1 - Command-Line Interface
16.G.1 - Remote File Copy
16.H.1 - System Service Discovery
16.I.1 - New Service
16.I.1 - Masquerading
16.J.1 - System Service Discovery
16.K.1 - File and Directory Discovery
16.L.1 - Service Execution
17.A.1 - System Service Discovery
17.A.1 - Query Registry
17.B.1 - File and Directory Permissions Modification
17.B.2 - File and Directory Permissions Modification
17.C.1 - Accessibility Features
18.A.1 - File and Directory Discovery
18.B.1 - Data Staged
18.B.1 - Data from Network Shared Drive
19.A.1 - Masquerading
19.A.1 - Remote File Copy
19.B.1 - Data Compressed
19.B.1 - Data Encrypted
19.B.1 - Masquerading
19.C.1 - Exfiltration Over Alternative Protocol
19.D.1 - File Deletion
19.D.2 - File Deletion
20.A.1 - Accessibility Features
20.A.1 - Remote Desktop Protocol
20.B.1 - System Owner/User Discovery
Comprehensive Results


1.A.1 User Execution

Procedure: Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Vendor
Detection Types Detection Notes
Carbon Black
Telemetry
Telemetry within the process tree showed Resume Viewer.exe running along with its children. [1] [2]
General Behavior
A General Behavior alert was generated indicating that the user Debbie executed Resume Viewer.exe. This alert had a severity score of 51/100 and was based upon "Newly Executed Applications". [1] [2]
CrowdStrike
Telemetry
Telemetry within the alert showed that Resume Viewer.exe executed, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not specifically taken in this instance. [1]
General Behavior
A General Behavior alert for Machine Learning showed that Resume Viewer.exe was executed and that it was detected as malicious. [1]
Cybereason
General Behavior
A General Behavior alert was generated based on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe was executed and running as a process. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. The provided screenshot was captured later in the evaluation and includes additional information appended to explorer.exe not relevant to this procedure. [1] [2] [3]
General Behavior
A General Behavior alert was generated based on the identification of Resume Viewer.exe as unknown malware by the Anti-Malware engine. Vendor stated that the capability would have prevented the execution of Resume Viewer.exe. [1] [2] [3]
Endgame
General Behavior
A General Behavior alert was generated for Malicious File Detection on the execution of Resume Viewer.exe. [1] [2]
Telemetry (Tainted)
Telemetry showed events surrounding the Resume Viewer.exe event to indicate execution (tainted by a parent Malicious File Detection). [1] [2]
FireEye
Telemetry
Telemetry showed Resume Viewer.exe executing with a parent process of explorer.exe. [1] [2]
General Behavior (Configuration Change)
A General Behavior alert was generated for the Resume Viewer.exe file due to it being labeled as malicious by a machine learning engine. The alert was generated after a configuration change of the file size limit for the machine learning engine. The vendor reported that this file would have been quarantined and prevented from executing. The scan type used to produce this alert is On-access, which means the scan occurs on file writes and executions. [1] [2]
F-Secure
General Behavior
A General Behavior alert was generated for the execution of a rare file (Resume Viewer.exe). The vendor reported that this behavior would have been prevented from executing. Screenshot is unavailable due to sensitivity of alert logic. [1]
Telemetry
Telemetry showed the execution of Resume Viewer.exe as a process. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert. [1]
McAfee
Telemetry
Telemetry showed that Resume Viewer.exe was executed by Explorer.exe by user Debbie. [1]
Microsoft
Telemetry
Telemetry showed the user execution sequence of Resume Viewer.exe with multiple files written and subsequently executed. Resume Viewer.exe was audited by Exploit Guard and the vendor stated that the audit events demonstrate that execution would have been prevented if Attack Surface Reduction (ASR) was enabled in blocking mode. [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Telemetry
Telemetry showed that Resume Viewer.exe was executed and running as a process owned by user Debbie. [1]
RSA
Telemetry
Telemetry showed execution of Resume Viewer.exe. [1]
SentinelOne
General Behavior
A General Behavior alert was generated due to static analysis of the file through the DFI resulting in it being marked as suspicious, which generated a story (group ID) that subsequent linked events are tainted by. [1] [2]
Telemetry
Telemetry showed Resume Viewer.exe execution with subsequent file writes and execution. [1] [2]
Carbon Black
Enrichment
The capability enriched the rundll32.exe execution with the correct ATT&CK Technique (T1085, which corresponds to the Rundll32 Technique). [1] [2]
Telemetry
Telemetry within the process tree showed the Resume Viewer.exe execution sequence and rundll32.exe executing. [1] [2]
CrowdStrike
Specific Behavior
A Specific Behavior alert was generated due to rundll32 launching a suspended process. The alert was mapped to the correct ATT&CK Technique (Rundll32) and Tactic (Defense Evasion). [1] [2]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating rundll32 executing update.dat was suspicious. OverWatch is the managed threat hunting service. [1] [2]
Telemetry
Telemetry within the OverWatch alert showed rundll32.exe executing, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry within the rundll32.exe injection alert also showed full command-line arguments of rundll32.exe executing update.dat. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. For most alerts in the user interface, the telemetry behind it is separately available in the capability and counted as a separate detection. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for injected shellcode by a compromised legitimate process (rundll32.exe). The alert was tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) and was tainted by parent alert on rundll32.exe injection. [1] [2] [3]
Specific Behavior (Tainted)
A Specific Behavior alert was generated for rundll32.exe launching a module in a temporary folder and injecting shell code into a victim process. The alert was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert called RunDLL32 with Suspicious DLL Location was generated due to rundll32.exe running update.dat. The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution) and was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed rundll32.exe running update.dat. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
FireEye
Enrichment
The capability enriched rundll32.exe with an alert for Rundll32 Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1085 - Rundll32) and Tactics (Defense Evasion, Execution). [1] [2]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified use of rundll32.exe to execute update.dat with command-line arguments. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2]
F-Secure
Telemetry
Telemetry showed rundll32.exe executing update.dat. [1]
General Behavior
A General Behavior alert was generated for an unusual call to rundll32.exe. Screenshot is unavailable due to sensitivity of alert logic. [1]
Specific Behavior
A Specific Behavior alert was generated for rundll32.exe executing in a way typical for rundll32 injections. Screenshot is unavailable due to sensitivity of alert logic. [1]
GoSecure
Telemetry (Tainted)
Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert. [1]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing update.dat via rundll32.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3]
Specific Behavior
Specific Behavior alerts were generated based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32). [1] [2] [3]
Microsoft
Telemetry
Telemetry showed the execution sequence for rundll32.exe running update.dat. [1] [2]
General Behavior (Delayed)
A delayed General Behavior alert was generated for a low-reputation DLL loaded by a signed executable due to rundll32.exe execution of update.dat. [1] [2]
Palo Alto Networks
Specific Behavior (Tainted)
Specific Behavior alerts were generated for rundll32. The alerts were tagged with the correct ATT&CK Technique (Rundll32) and were tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed rundll32.exe executing update.dat with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4]
General Behavior (Tainted)
A General Behavior alert was generated based on rundll32.exe executing update.dat, identified as a suspicious DLL and malware. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated the capability would have prevented execution of update.dat. [1] [2] [3] [4]
RSA
Telemetry
Telemetry showed cmd.exe launching rundll32.exe. [1]
SentinelOne
Telemetry (Tainted)
Telemetry showed rundll32.exe executing as a result of Resume Viewer.exe running. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1]
Carbon Black
Enrichment
The capability enriched the cmd.exe execution with the correct ATT&CK Technique (T1064 - Scripting). [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry within the process tree showed cmd.exe executing the pdfhelper.cmd script. [1] [2] [3] [4] [5] [6] [7]
CrowdStrike
Telemetry
Telemetry showed pdfhelper.cmd being executed by cmd.exe. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch generated a General Behavior alert indicating the execution of pdfhelper.cmd was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe launching pdfhelper.cmd. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
Telemetry (Tainted)
Telemetry showed cmd.exe executing pdfhelper.cmd as well as pdfhelper.cmd spawning as a child process of Resume Viewer.exe. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5] [6] [7]
FireEye
Telemetry
Telemetry showed Resume Viewer.exe spawning the child process cmd.exe to launch pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running pdfhelper.cmd) has been tagged for monitoring because its parent process has a detection (Resume Viewer.exe). Screenshot is unavailable due to sensitivity of alert logic. [1] [2] [3] [4] [5]
Telemetry
Telemetry showed pdfhelper.cmd was executed by cmd.exe. [1] [2] [3] [4] [5]
GoSecure
Telemetry (Tainted)
Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4]
McAfee
Telemetry (Tainted)
Telemetry showed pdfhelper.cmd being executed by cmd.exe. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5]
Microsoft
Telemetry
Telemetry within a process tree showed the child cmd.exe process running the script pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Palo Alto Networks
Telemetry
Telemetry showed cmd.exe launching pdfhelper.cmd. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Specific Behavior
A Specific Behavior alert was generated for execution of the Windows script engine. The alert was tagged with the correct ATT&CK Technique (Scripting). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
RSA
None
No detection capability demonstrated for this procedure, though telemetry showed the execution sequence of Resume Viewer.exe executing cmd.exe, which executed rundll32.exe (the pdfhelper.cmd script was not shown). [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing the pdfhelper.cmd script. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry showed filemods indicating the creation and file write of autoupdate.bat to the Startup folder. [1] [2] [3]
Enrichment
The capability enriched cmd.exe with the correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder). [1] [2] [3]
CrowdStrike
Telemetry
Telemetry showed Registry activity related to the Startup folder. Though no screenshot of the file write is available, this data maybe indicative of modifications to the folder. [1] [2]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe rewriting autoupdate.bat to the user Debbie's Startup folder. The telemetry was tainted by a parent alert on explorer.exe attempting to execute a file (Resume Viewer.exe) identified as malicious. [1] [2] [3] [4]
Endgame
Specific Behavior (Tainted)
A Specific Behavior alert called "Detected Persistence - Start Folder Persistence" was generated due to cmd.exe writing autoupdate.bat to the Startup folder. The alert was also tagged with the correct ATT&CK Technique (T1060 - Registry Run Keys / Start Folder) and Tactic (Persistence). The Specific Behavior alert was tainted by a parent Malicious File Detection alert. [1] [2] [3]
Telemetry (Tainted)
Telemetry showed autoupdate.bat written to the Start Menu. The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified the backdoor persisted by executing autoupdate.bat at system start due to its presence in the Startup directory. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry showed autoupdate.bat being written to the Startup folder. The alert mapped to two ATT&CK Techniques (T1059 - Command-Line Interface and T1105 - Remote File Copy), but they were not directly related to the Registry Run Keys / Startup Folder Technique under test in this procedure. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched the file write of autoupdate.bat to the Startup folder by categorizing it as Persistence. [1] [2] [3] [4] [5] [6] [7] [8] [9]
F-Secure
Telemetry
Telemetry showed cmd.exe executing autoupdate.bat from within the Startup folder. [1] [2] [3]
GoSecure
Telemetry
Telemetry showed that autoupdate.bat was created in the Startup folder. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd. The alert was tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder). [1] [2]
Microsoft
Telemetry
Telemetry showed the execution sequence for Resume Viewer.exe writing autoupdate.bat to Debbie's Startup folder to establish persistence. [1] [2]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed autoupdate.bat being moved to the user Debbie's Startup folder. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3]
Enrichment (Configuration Change, Tainted)
The capability enriched a file being created in the Startup folder with the correct ATT&CK Technique (Registry Run Keys / Start Folder). The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The logic to produce the enrichment was configured after the start of the evaluation so it is identified as a config change. [1] [2] [3]
RSA
Telemetry
Telemetry showed a cmd.exe "rename to executable" event for autoupdate.bat in the Startup folder. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry on actions performed from Resume Viewer.exe showed autoupdate.bat being written to the Startup Folder. The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Telemetry
Telemetry showed a network connection over UDP port 53. [1] [2] [3] [4] [5] [6]
CrowdStrike
None
No detection capability demonstrated for this procedure, though DNS requests for freegoogleadsenseinfo.com (C2 domain) were observed (no detection showed port 53 specifically). [1] [2] [3] [4]
Cybereason
Telemetry
Telemetry showed port 53 command and control traffic. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
None
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Telemetry
Telemetry showed port 53 command and control traffic. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it observed the use of UDP port 53 for DNS command and control traffic. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Specific Behavior (Tainted)
A Specific Behavior alert was generated for a scripting engine (rundll32.exe) making a network connection over DNS ports. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed port 53 command and control traffic. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2] [3] [4] [5] [6] [7]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
SentinelOne
None
No detection capability demonstrated for this procedure. DNS requests were observed (no detection showed port 53 specifically). [1] [2] [3]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3]
CrowdStrike
Specific Behavior
A Specific Behavior alert was generated for abnormally large DNS requests for freegoogleadsenseinfo.com (C2 domain) being sent. The alert was mapped to a related ATT&CK Technique (Exfiltration Over Alternative Protocol) and Tactic (Exfiltration). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The OverWatch team also sent an email indicating a Specific Behavior occurred because they observed suspected command and control or data exfiltration via DNS. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating the DNS traffic was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry within the OverWatch alert showed the DNS requests, and would also be available in a separate view. For any alert in the user interface, the telemetry behind it is separately available in the capability. This is counted as a separate detection because the functionality was shown to MITRE throughout the evaluation, though a screenshot was not taken in this instance. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry in the event tree view showed DNS requests spawning from rundll32.exe to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Malicious File Detection alert. [1] [2] [3] [4] [5]
FireEye
Indicator of Compromise
An Indicator of Compromise alert was generated for the hardcoded DNS record name syntax in the DNS lookups for freegoogleadsenseinfo.com (C2 domain). The alert was also tagged with the correct ATT&CK Technique (T1071 - Standard Application Layer Protocol) and Tactic (Command and Control). [1] [2] [3] [4] [5] [6]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that command and control occurred via DNS. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Telemetry
Telemetry showed a trace of DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain). [1] [2] [3] [4] [5]
GoSecure
Telemetry
Telemetry showed that DNS requests to freegoogleadsenseinfo.com (C2 domain) were being performed out of svchost.exe on Nimda. [1] [2] [3] [4]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
Telemetry (Configuration Change)
Telemetry from showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The vendor stated that DNS telemetry is captured but it was not immediately visible in the portal. The vendor made changes to the portal during the test to enable by default the visibility of these events. [1] [2] [3] [4] [5]
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated. [1] [2]
RSA
None
No detection capability demonstrated for this procedure. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Telemetry (Tainted)
Telemetry showed the base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Exfiltration alert. [1]
Cybereason
Telemetry (Tainted)
Telemetry showed base64-encoded DNS requests for freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by a parent Injected Shellcode alert. [1] [2]
Endgame
None
No detection capability demonstrated for this procedure.
FireEye
Telemetry (Tainted)
Telemetry showed base64-encoded DNS requests to freegoogleadsenseinfo.com (C2 domain). The telemetry was tainted by the parent Cobalt Strike DNS Beacon alert. [1]
F-Secure
Telemetry
Telemetry showed a trace of encoded DNS queries being made by rundll32.exe to freegoogleadsenseinfo.com (C2 domain). [1]
GoSecure
None
No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically).
McAfee
None
No detection capability demonstrated for this procedure.
Microsoft
None
No detection capability demonstrated for this procedure.
Palo Alto Networks
None
No detection capability demonstrated for this procedure. Vendor stated that more information would be available if their firewall appliance was installed and activated.
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
Telemetry (Tainted)
Telemetry showed DNS requests with encoded content to freegoogleadsenseinfo.com (the C2 domain). The telemetry was tainted by the previous alert generated from Resume Viewer.exe because it was associated with the same story (Group ID). [1] [2]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because ipconfig was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The process tree showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran ipconfig) were considered tainted and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed cmd.exe executing ipconfig with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment (Tainted)
The capability enriched cmd.exe executing ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert called Unusual Child Process of RunDLL32 was generated for cmd.exe executing ipconfig.exe with command-line arguments. The alert was tainted as part of the event tree under a parent Malicious File Detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing ipconfig.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that ipconfig.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched ipconfig.exe with an alert for Ipconfig Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
Enrichment
The capability enriched ipconfig.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing ipconfig) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched the execution of ipconfig.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Tainted)
A General Behavior alert was generated for a commonly abused process (cmd.exe) spawning out of rundll32.exe. The alert was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing ipconfig.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Enrichment
The capability enriched arp.exe with a related ATT&CK Technique (T1018 - Remote System Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because arp was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran arp) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry (Tainted)
Telemetry showed arp.exe executing with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing arp.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that arp.exe was one of the reconnaissance commands performed to enumerate the network configuration of Nimda. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched arp.exe with an alert for Arp Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1016 - System Network Configuration Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched arp.exe indicating its usage can be a sign of reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched the arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment (Tainted)
The capability enriched the execution of arp.exe as possible reconnaissance as well as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Enrichment
The capability enriched arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing arp.exe with command-line arguments. [1] [2] [3] [4] [5]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing arp.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing echo with command-line arguments. [1] [2] [3] [4] [5]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran echo) were considered tainted. [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because echo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing echo with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that echo was one of the commands used to enumerate the current username. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7]
Telemetry
Telemetry showed the use of echo with command-line arguments. [1] [2] [3] [4] [5] [6] [7]
F-Secure
Telemetry
Telemetry showed cmd.exe executing the echo command. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the echo command) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing the echo command. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched the cmd.exe echo command with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system. [1] [2] [3] [4] [5] [6] [7]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing echo with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment
The capability enriched cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery). [1] [2] [3] [4] [5] [6]
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6]
RSA
Telemetry
Telemetry showed cmd.exe executing echo with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne
None
No detection capability demonstrated for this procedure. [1] [2] [3]
Carbon Black
Enrichment
The capability enriched tasklist.exe with the correct ATT&CK Technique (T1057 - Process Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the process tree showed cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran tasklist) were considered tainted. [1] [2] [3] [4] [5]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because tasklist was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing tasklist.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that tasklist was one of the commands used to enumerate current running processes. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5]
Enrichment
The capability enriched tasklist.exe with an alert for Tasklist Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1057 - Process Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing tasklist) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed cmd.exe executing tasklist.exe along with command-line arguments. [1] [2] [3] [4] [5] [6]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5]
Enrichment
The capability enriched tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes. [1] [2] [3] [4] [5]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6]
Telemetry
Telemetry showed the execution sequence of cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of tasklist.exe as the enumeration of running processes via the command line. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched tasklist.exe executing with a related ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
Telemetry
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. [1] [2] [3]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3]
Carbon Black
Enrichment
The capability enriched sc.exe with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the process tree showed cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because sc query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran sc) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Enrichment (Tainted)
The capability enriched cmd.exe executing sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry showed cmd.exe executing sc with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing sc.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that sc was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with an alert for SC Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing sc with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing sc.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing sc.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (System Service Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment (Tainted)
The capability enriched cmd.exe executing net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Start Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that net was one of the commands used to enumerate current running services. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe executing net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing systeminfo.exe. [1] [2] [3] [4]
Enrichment
The capability enriched systeminfo.exe with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran systeminfo) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because systeminfo was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating systeminfo execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Enrichment (Tainted)
The capability enriched systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Telemetry
Telemetry showed cmd.exe executing systeminfo with command-line arguments. [1] [2] [3] [4]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing systeminfo.exe (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified systeminfo as a reconnaissance command used to obtain details from the system. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
Enrichment
The capability enriched systeminfo.exe with an alert for Systeminfo Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Enrichment
The capability enriched systeminfo.exe indicating it could be used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Enrichment
The capability enriched systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried. [1] [2] [3] [4]
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe running systeminfo.exe. [1] [2] [3] [4] [5] [6] [7]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of systeminfo.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7]
Telemetry (Tainted)
Telemetry showed cmd.exe executing systeminfo with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed cmd.exe executing systeminfo.exe. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
CrowdStrike
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net config was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7]
FireEye
Enrichment
The capability enriched net.exe with an alert for Net Config Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1082 - System Information Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6]
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net config as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6]
F-Secure
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried. [1] [2] [3] [4]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7]
Enrichment
The capability enriched cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery). [1] [2] [3] [4] [5] [6] [7]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team also sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
OverWatch also generated a General Behavior alert indicating net localgroup execution was suspicious. OverWatch is the managed threat hunting service. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net localgroup was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The data was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated members of the local administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Enrichment
The capability enriched net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Permission Groups Discovery) as well as the tag Administrator Enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with a related ATT&CK Technique (Account Discovery) and the correct Tactic (Discovery). The enrichment was tainted by a previous detection. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net group was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
General Behavior (Tainted)
A General Behavior alert was generated for net.exe conducting suspicious activity related to Discovery/Privilege Escalation as well as being a descendant of a suspicious process. The alert was also tagged with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery). The alert was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Enrichment (Tainted)
The capability enriched net.exe with an alert for Enumeration of Administrator Account (tainted by a parent Malicious File Detection). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
FireEye
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because it identified that the attacker enumerated the Shockwave domain's Domain Administrators group. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment
The capability enriched net.exe with an alert for Net Group Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
F-Secure
Enrichment
The capability enriched net.exe indicating it is commonly used for reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. The conditions contributing to Enrichment were added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5] [6]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and Techniques (Permission Groups Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
Palo Alto Networks
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command as well as the execution of net1.exe as the execution of an enumeration command using net or net1. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
Enrichment (Tainted)
The capability enriched the execution of net.exe and net1.exe as the possible enumeration of administrator groups. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6]
Enrichment
An "IIOC" module called "Enumerates domain administrators" was generated and provided enrichment. [1] [2] [3] [4] [5] [6]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5]
Carbon Black
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net.exe) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the net) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration commands that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Enrichment
The capability enriched net.exe with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry
Telemetry within the process tree showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran net) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because net user was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Cybereason
Telemetry
Telemetry showed cmd.exe executing net with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment (Tainted)
The capability enriched net.exe executing with the correct ATT&CK Technique (Account Discovery). The data was tainted by a parent Injected Shellcode alert [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Endgame
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing net.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
FireEye
General Behavior (Delayed)
The Managed Defense Report indicated a General Behavior occurred because it identified net user as a reconnaissance command performed. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net.exe with an alert for Net User Command Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
General Behavior
A General Behavior alert was generated showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9]
Enrichment
The capability enriched net.exe with a tag identifying the command as enumeration. [1] [2] [3] [4] [5] [6] [7] [8] [9]
GoSecure
Enrichment (Configuration Change, Tainted)
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert. One condition contributing to Enrichment was added to the capability's detection after the start of the evaluation, so this detection is identified as a configuration change. See Configuration page for details. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Microsoft
General Behavior (Delayed)
A delayed General Behavior alert occurred due to a sequence of exploration activities that was classified as suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Telemetry
Telemetry showed the execution sequence of cmd.exe running net.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of net.exe as the execution of an enumeration command. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Enrichment
The capability enriched net1.exe executing with the correct ATT&CK Technique (Account Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Telemetry (Tainted)
Telemetry showed cmd.exe executing net with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
RSA
Telemetry
Telemetry showed cmd.exe executing net.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4] [5] [6] [7] [8]
Carbon Black
Enrichment
The capability enriched reg.exe with the correct ATT&CK Technique (T1012 - Query Registry). [1] [2] [3] [4] [5] [6] [7] [8]
Telemetry
Telemetry within the process tree showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8]
CrowdStrike
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The process tree view showed that all children cmd.exe processes under the parent rundll32.exe (including the one that ran reg) were considered tainted. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
General Behavior (Delayed)
The OverWatch team sent an email indicating a General Behavior was observed because reg query was one of the reconnaissance commands performed. OverWatch is the managed threat hunting service. The team sent emails to MITRE to mimic what they would send in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Cybereason
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent Injected Shellcode alert. [1] [2] [3] [4] [5]
Endgame
General Behavior (Configuration Change, Delayed, Tainted)
A delayed General Behavior alert triggered for a specified number of discovery techniques over a specified time period, which resulted in four Enumeration Command Sequence alerts for Step 2 (tainted by a parent Malicious File Detection). This alert was configured after the start of the evaluation so is identified as a configuration change. [1] [2] [3] [4] [5] [6] [7] [8] [9]
Telemetry (Tainted)
Telemetry within the event tree showed cmd.exe executing reg.exe with command-line arguments (tainted by a parent Malicious File Detection). [1] [2] [3] [4] [5] [6] [7] [8] [9]
FireEye
Enrichment
The capability enriched reg.exe with an alert for Reg Execution (Weak Signal). The alert was also tagged with the correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
Specific Behavior (Delayed)
The Managed Defense Report indicated a Specific Behavior occurred because the attacker queried a registry key that contains system policy configurations. Managed Defense Reports are reports provided by FireEye's managed detection and response (MDR) service. FireEye provided reports to MITRE after the completion of the evaluation to mimic what they would produce in a real incident. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
F-Secure
Enrichment
The capability enriched reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated for rundll32.exe launching cmd.exe (executing the reg) which was identified as extremely rare and suspicious. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry
Telemetry showed cmd.exe executing reg with command-line arguments. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
General Behavior
A General Behavior alert was generated showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
GoSecure
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert. [1] [2] [3] [4] [5]
McAfee
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Enrichment
The capability enriched reg.exe with the correct ATT&CK Tactic (Discovery). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by a trace detection on Resume Viewer.exe. Though not visible in the image, MITRE confirmed that the relevant command was visible within the trace detection's process tree. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
Microsoft
Telemetry (Tainted)
Telemetry showed the execution sequence of cmd.exe running reg.exe with command-line arguments (tainted by the alert on suspicious sequence of exploration activities from child processes of rundll32.exe). [1] [2] [3] [4] [5] [6] [7] [8]
Palo Alto Networks
Enrichment
The capability enriched reg.exe executing with the correct ATT&CK Technique (Query Registry). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg with command-line arguments. The telemetry was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
RSA
Telemetry
Telemetry showed cmd.exe executing reg.exe with command-line arguments. [1] [2] [3] [4]
SentinelOne
Telemetry (Tainted)
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the alert generated during initial compromise because it was associated with the same story (Group ID). [1] [2] [3] [4]
Carbon Black
None
No detection capability demonstrated for this procedure.
CrowdStrike
Telemetry
Telemetry showed an integrity level change for user Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High), which is indicative of bypassing UAC. [1] [2] [3] [4]
Cybereason
Telemetry (Tainted)
Telemetry showed powershell.exe running as medium integrity as user Debbie then another instance running later as high integrity as user Debbie. The telemetry is tainted by a parent PowerShell alert. [1] [2] [3] [4] [5]
Endgame
Telemetry
Telemetry showed a mismatch between the logon id (authentication id) of parent and child processes indicating that a different token was used. Though no screenshot for this data is available, this information can be used to trace back to the logon event for that logon id to display the process integrity level indicative of the elevated token used for bypass UAC. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3]
FireEye
Telemetry (Configuration Change)
Telemetry showed execution of powershell.exe as a high integrity process as SYSTEM with a token login ID previously associated with user Debbie. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called). [1] [2] [3] [4]
F-Secure
Enrichment
The capability enriched an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe. [1] [2] [3]
McAfee
Specific Behavior
A Specific Behavior alert was generated for a possible UAC bypass. The alert was tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation). [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed rundll32.exe as a medium integrity process as user Debbie and subsequent execution of powershell.exe as a high integrity process as SYSTEM as part of the UAC bypass (tainted by alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4] [5] [6] [7]
Palo Alto Networks
Telemetry
Telemetry showed a process integrity level change from parent rundll32.exe (medium / 8192) to child powershell.exe (high / 12288), both running as user Debbie. [1] [2] [3] [4]
RSA
None
No detection capability demonstrated for this procedure, though an alert was created for PowerShell with the -enc command-line argument. [1]
SentinelOne
Telemetry
Telemetry showed process integrity levels changing from medium to high. Detect was verified, but a screenshot for this data was unavailable. Integrity level values are based upon how the capability tracks integrity levels and not how Windows tracks them causing a difference in values. [1]
Carbon Black
Telemetry
Telemetry showed svchost.exe, with the seclogon command-line argument, performing activity related to token manipulation. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1]
Cybereason
None
No detection capability demonstrated for this procedure, though an alert was generated for malicious code injection into PowerShell. Telemetry also showed that bypassuactoken.x64.dll was loaded. [1] [2] [3]
Endgame
Telemetry
Telemetry showed a svchost.exe seclogon event for a token logon id (authentication id) later used by a new powershell.exe process, highlighting token manipulation via a mismatch in ids between parent and child process tokens. During the evaluation, Windows Defender was unknowingly reenabled. As a result, Bypass UAC was tested in a slightly modified method. The detection method Endgame exhibited would have been valid regardless. [1] [2] [3] [4]
FireEye
Telemetry (Configuration Change)
Telemetry showed a svchost.exe seclogon event for a token logon ID later used by a process whose group membership indicated high integrity. A Configuration Change was made in order to collect Windows Event Logs for events 4627 (Group Membership Information) and 4673 (A privileged service was called). [1] [2] [3] [4]
F-Secure
Telemetry
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event for user Debbie with an elevated token, indicating token manipulation. [1] [2] [3]
GoSecure
None
No detection capability demonstrated for this procedure, though an alert was triggered due to svchost.exe creating the process powershell.exe. [1] [2]
McAfee
Telemetry (Delayed)
Telemetry showed svchost.exe, with the seclogon command-line argument as well as a New Credentials logon event for user Debbie, indicating token manipulation. [1] [2] [3]
Microsoft
Telemetry (Tainted)
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent elevated powershell.exe process, indicating token manipulation (tainted by parent alert on a suspicious PowerShell command-line generated for the svchost.exe invocation of powershell.exe with an encoded script). [1] [2] [3] [4] [5]
Palo Alto Networks
Telemetry
Telemetry showed svchost.exe executed with the seclogon command-line argument and a subsequent logon event with an elevated token and new logon ID, indicating token manipulation. [1] [2] [3]
RSA
None
No detection capability demonstrated for this procedure.
SentinelOne
None
No detection capability demonstrated for this procedure.
Carbon Black
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
CrowdStrike
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Cybereason
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
Endgame
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4]
FireEye
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
F-Secure
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
GoSecure
None
No detection capability demonstrated for this procedure. [1] [2]
McAfee
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5]
Microsoft
None
No detection capability demonstrated for this procedure. [1] [2] [3] [4] [5] [6]
Palo Alto Networks
Enrichment (Tainted)
The capability enriched the execution of a specific API call as process enumeration and suspicious activity. The data was tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine. The process tree showing taintedness is visible within the same UI but did not fit within the current frame. [1] [2] [3] [4] [5] [6] [7] [8] [9]
RSA
None
No detection capability demonstrated for this procedure. [1] [2] [3]
SentinelOne <
None
No detection capability demonstrated for this procedure. [1] [2] [3]