Home  >  APT29  >  Results  >  BlackBerry Cylance  >  All Results

BlackBerry Cylance: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection was generated identifying rcs.3aka3.doc as malware. According to the vendor, this would have been prevented due to rcs.3aka3.doc being identified as malware. [1]
MSSP (Delayed (Manual))
An MSSP detection for "process spawning with an uncommon file extension" occurred containing evidence of explorer.exe executing rcs.3aka3.doc. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection (low severity) called "Process Without Common Executable Extension" was generated when an executable file ran without a valid signature created a process. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection for "Process Without Common Executable Extension" occurred containing evidence of an executable file ran without a valid signature creating a process. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
Tactic (Alert)
A Tactic alert detection (low severity) called "Unsigned Application Network Beaconing" was generated when the rcs.3aka3.doc process made a network connection. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Unsigned Application Network Beaconing" occurred containing evidence of rcs.3aka3.doc process connecting to C2(192.168.0.5) on port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
MSSP (Delayed (Manual))
A MSSP detection occurred containing evidence of cmd.exe spawning from rcs.3aka3.doc​. [1]
Telemetry
Telemetry showed cmd.exe spawning from rcs.3aka3.doc​. [1] [2]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Tactic (Alert)
A Tactic alert detection (info severity) called "Win_User_Execution_MITRET1204" was generated due to a process targeting an *.exe filename. [1] [2]
Telemetry
Telemetry showed powershell.exe spawning from cmd.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "Win_AutomatedCollection_DirScanART_MITRET1119" occurred containing evidence of powershell.exe executing Get-ChildItem. [1] [2]
Telemetry
Telemetry showed PowerShell executing ChildItem. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
Technique (Alert)
A Technique alert detection (high severity) called "Win_AutomatedCollection_DirScanART_MITRET1119" was generated due to powershell.exe executing Get-ChildItem. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Win_AutomatedCollection_DirScanART_MITRET1119" occurred containing evidence of powershell.exe executing Get-ChildItem. [1] [2]
Telemetry
Telemetry showed powershell.exe executing Get-ChildItem. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Alert)
A Technique alert detection (high severity) called "Win_Data_Compressed_ART_MITRET1002" was generated due to PowerShell payload containing "Compress-Archive" and "-DestinationPath". [1] [2]
Telemetry
Telemetry showed powershell.exe executing Compress-Archive. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Telemetry
Telemetry showed file creation of Draft.zip. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry
Telemetry showed rcs.3aka3.doc creating monkey.png. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Telemetry
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Telemetry
Telemetry showed a PowerShell command to add the DelegateExecute Registry Value. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
None
No detection capability demonstrated for this procedure, though data showed control.exe spawning powershell.exe. [1]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
General (Alert)
A General alert detection (info severity) called "Powershell Network Connections" was generated for PowerShell making a network connection to 192.168.0.5 over port 443. [1] [2]
Telemetry
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP 443. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry
Telemetry showed PowerShell command to remove the DelegateExecute Registry Value. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Telemetry
Telemetry showed the file write of the ZIP by PowerShell. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Telemetry
Telemetry showed a new powershell.exe spawning from powershell.exe. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
Telemetry
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and corresponding file writes [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (low severity) called "Win_GetSystemProcess_Powershell-MITRET1057" was generated due to powershell.exe executing Get-Process. [1] [2]
Telemetry
Telemetry showed powershell.exe executing Get-Process. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting cod.3aka3.scr. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting Draft.Zip. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection (medium severity) called "Sdelete Usage" was generated due to sdelete64.exe deleting SysinternalsSuite.zip. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using $env:TEMP. [1]
Telemetry
Telemetry showed powershell.exe executing $env:TEMP. [1]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using $env:USERNAME. [1]
Telemetry
Telemetry showed powershell.exe executing $env:USERNAME. [1]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using $env:COMPUTERNAME. [1]
Telemetry
Telemetry showed powershell.exe executing $env:COMPUTERNAME. [1]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using $env:USERDOMAIN. [1]
Telemetry
Telemetry showed powershell.exe executing $env:USERDOMAIN. [1]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using $PID. [1]
Telemetry
Telemetry showed powershell.exe executing $PID. [1]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using Gwmi Win32_OperatingSystem. [1]
Telemetry
Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem. [1]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Alert)
A Technique alert detection (high severity) called "Win_SecSoftwareEnum_Powershell_MITRETT1063" was generated when powershell.exe called Get-WMIObject with AntiVirusProduct. [1]
Technique (Alert)
A Technique alert detection (medium severity) called "Win_WMI_SecProduct_Enum_NonSYS_MITRET1063" was generated when a WMI query targeted AntiVirusProduct. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using Get-WMIObject with AntiVirusProduct. An alert for "Win_SecSoftwareEnum_Powershell_MITRETT1063" was shown. [1] [2]
Telemetry
Telemetry showed powershell.exe executing $Gwmi WmiObject ...​ -Class AntiVirusProduct. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection for "Environment Enumeration" occurred containing evidence of "Invoke-Discovery" function definition using Get-WmiObject targeting FireWallProduct. [1]
Telemetry
Telemetry showed powershell.exe executing Get-WmiObject targeting FireWallProduct. [1]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though host interrogation was performed to view Invoke-NetUserGetGroups definition and execution. [1] [2]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though host interrogation was performed to view Invoke-NetUserGetGroups definition and execution. [1]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though host interrogation was performed to view Invoke-NetUserGetLocalGroups definition and execution. [1] [2]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None (Host Interrogation, Delayed (Manual))
No detection capability demonstrated for this procedure, though host interrogation was performed to view Invoke-NetUserGetLocalGroups definition and execution. [1]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique (Alert)
A Technique alert detection (high severity) called "Win_Powershell_NewService_MITRET1050" was generated due to PowerShell creating the new service javamtsup. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Persistence Mechanisms" occurred containing evidence of javamtsup service launching C:\Windows\System32\javamtsup.exe and New-Service cmdlet usage. [1]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (info severity) called "Win_Persist__MITRET1060" was generated due to hostui.lnk being written to the Startup folder. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Persistence Mechanisms" occurred containing evidence of hostui.lnk creation in Startup folder with persistence alert. [1]
Telemetry
Telemetry showed the file write of hostui.lnk in the Startup folder. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure.
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
Telemetry
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash value provided. This can be used to verify it is not the legitimate Sysinternals tool. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Alert)
A Technique alert detection (medium severity) called "Win_PrivateKey_Modification_MITRET1145" was generated when the new $RandomFileName.pfx file was created. [1]
Telemetry
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Alert)
A Technique alert detection (high severity) called "Win_lsass_Injection_MITRET1003" was generated when powershell.exe targeted and injected into lsass.exe. According to the vendor, this behavior would have been blocked. [1]
Telemetry
Telemetry showed powershell.exe injecting a malicious payload into lsass.exe. According to the vendor, this behavior would have been blocked. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Telemetry
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. [1]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Alert)
A Technique alert detection (high severity) called "Win_Clipboard_Execution_MITRET1115" was generated due to a PowerShell payload containing Get-Clipboard. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Clipboard. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Telemetry
Telemetry showed PowerShell calling the GetAsyncKeyState API. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Telemetry
Telemetry showed the file write event for OfficeSupplies.7z. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
Telemetry
Telemetry showed powershell.exe executing Compress-7Zip with arguments for encryption. [1]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
General (Alert)
A General alert detection (info severity) was generated for Powershell making a network connection. [1]
Telemetry
Telemetry showed PoweShell Copy-Item to a remote adversary WebDav network share (192.168.0.4). [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
General (Alert)
A General alert detection (info severity) was generated for Powershell making a network connection. [1]
Telemetry
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over port 389. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
MSSP (Delayed (Manual))
An MSSP detection for "Lateral Movement" occurred containing evidence of Invoke-WinRMSession with a "Win_WinRM_Invoke-Command_MITRET1028" alert. [1] [2]
Telemetry
Telemetry showed network connection to remote host Scranton (10.0.1.4) over port 5985. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (low severity) called "Win_GetSystemProcess_Powershell_MITRET1057" was generated due to a PowerShell payload containing Get-Process. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
General (Delayed (Processing), Alert)
A General alert detection was generated identifying python.exe as malware. Detection incurred a delay due to file being uploaded for sandbox analysis. [1]
Telemetry
Telemetry showed a file write event of python.exe. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Telemetry (Delayed (Processing))
Telemetry showed python.exe was packed via static analysis. Detection incurred a delay due to file being uploaded for sandbox analysis. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
Telemetry
Telemetry showed a valid logon on Scranton (10.0.1.4) as user Pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert)
A Technique alert detection (low severity) called "Win_NetDrive_DataInteraction_MITRET1039" was generated due to a PowerShell targeting a network drive. [1]
General (Alert)
A General alert detection (info severity) called "Win_Network_CommonPorts_MitreT1043" was generated due to Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. [1]
Telemetry
Telemetry showed a SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 135. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe. [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed a file create event for python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
Telemetry
Telemetry showed File Create event for python.exe creating sdelete64.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Tactic (Alert)
A Tactic alert detection (info severity) called "Win_User_Execution_MITRET1204" was generated due to a process targeting an *.exe filename. [1]
Telemetry
Telemetry showed python.exe executing powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection for "Win_AutomatedCollection_DirScanART_MITRET1119" occurred containing evidence of powershell.exe executing Get-ChildItem. [1] [2]
Telemetry
Telemetry showed PowerShell executing Get-ChildItem. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
Technique (Alert)
A Technique alert detection (high severity) called "Win_AutomatedCollection_DirScanART_MITRET1119" , was generated due to powershell.exe executing Get-ChildItem. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Win_AutomatedCollection_DirScanART_MITRET1119" occurred containing evidence of powershell.exe executing Get-ChildItem. [1] [2]
Telemetry
Telemetry showed powershell.exe executing Get-ChildItem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
General (Alert)
A General alert detection (medium severity) called "Win_FileExtensions_LocalSystemCollection_NonSys_MITRET1005" was generated for file activity involving draft.zip. [1]
Telemetry
Telemetry showed a File Write event for powershell.exe creating working.zip. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Technique (Alert)
A Technique alert detection (info severity) called "Win_Data_Encryption_MITRET1022" was generated when rar.exe used "-hp" command-line arguments. [1]
General (Alert)
A General alert detection (low severity) called "One-Liner ML Module" was generated when machine learning determined the command was suspicious. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
General (Alert)
A General alert detection (low severity) called "One-Liner ML Module" was generated when machine learning determined the command was suspicious. [1]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection (medium severity) called "Sdelete Usage" was generated when sdelete64.exe with command-line arguments was used to delete rar.exe. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection (medium severity) called "Sdelete Usage" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Desktop\working.zip. [1] [2]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
A MSSP detection for "Evading Detection" occurred containing evidence of sdelete64.exe deleting files. [1]
Telemetry
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
Telemetry
Telemetry showed a DeleteOnClose event for cmd.exe removing sdelete64.exe. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure.
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
None
No detection capability demonstrated for this procedure.
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Technique (Alert)
A Technique alert detection (high severity) called "Fileless Powershell Malware" was generated due to PowerShell invoking a script in a temporary directory. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
General (Alert)
A General alert detection (high severity) called "Fileless Powershell Malware" was generated due to PowerShell executing a paylaod with IEX and Get-Content. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Tactic (Alert)
A Tactic alert detection (medium severity) for a WMI query operation via PowerShell was generated for a PowerShell gwmi query for Win32_BIOS. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Tactic (Alert)
A Tactic alert detection (medium severity) for WMI query operations via PowerShell was generated for a PowerShell gwmi query for Win32_BIOS. [1]
Tactic (Alert)
A Tactic alert detection (medium severity) for WMI query operations via PowerShell was generated for a PowerShell gwmi query for Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
Tactic (Alert)
A Tactic alert detection (medium severity) for WMI query operations via PowerShell. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Tactic (Alert)
A Tactic alert detection (medium severity) for a suspicious WMI query operation was generated for a WMI operation via PowerShell. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
Tactic (Alert)
A Tactic alert detection (medium severity) for a suspicious WMI query operation was generated for a WMI operation via PowerShell. [1]
Telemetry
Telemetry showed powershell.exe gwmi query for Win32_ComputerSystem. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
Tactic (Alert)
A Tactic alert detection (medium severity) for a suspicious WMI query operation was generated for a WMI operation via PowerShell. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_Process. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
Telemetry
Telemetry showed PowerShell executing Get-Item for the current path. [1]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (medium severity) called "Win_Certutil_Deobfuscation-DecodeFilesOrInformation_MITRET1140" was generated when certutil.exe decoded the payload with command-line arguments. [1]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique (Alert)
A Technique alert detection (info severity) called "Win_Persist_MITRET1060" was generated when Webcache subkey was added to the Registry Run key. [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (medium severity) called "Win_Powershell_Base64_MITRE1027" was generated on PowerShell usage of base64 encoding or decoding. [1]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
Technique (Alert)
A Technique alert detection (info severity) called "Win_Network_CommonPorts_MITRET1043" was generated when powershell.exe made a network connection to C2 (192.168.0.4) over port 443. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
Technique (Alert)
A Technique alert detection (high severity) called "Win_AutomatedCollection_DirScanART_MITRET1119" (high severity; red indicator), was generated due to powershell.exe executing Get-ChildItem. [1]
Telemetry
Telemetry showed PowerShell enumeration of System32:(gci ((gci env:windir).Value + '\system32'). [1]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
MSSP (Delayed (Manual))
An MSSP detection for "Evading Detection" occurred containing evidence of "timestomp" function definition. [1]
Telemetry
Telemetry showed script block with commands to timestomp kxwn.lock. [1]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Alert)
A Technique alert detection (medium severity) called "Win_WMI_SecProduct_Enum_NonSYS_MITRET1063" was generated due to PowerShell gwmi query for AntiVirusProduct. [1]
Telemetry
Telemetry showed PowerShell gwmi query for AntiVirusProduct. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry
Telemetry showed script block with registry query for installed software. [1]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
Telemetry
Telemetry showed script block with registry query for installed software. [1]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
Telemetry
Telemetry showed PowerShell calling the GetComputerNameEx API. [1]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
Telemetry
Telemetry showed PowerShell calling the NetWkstaGetInfo API. [1]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
Telemetry
Telemetry showed PowerShell script block log function definition of "user" containing the GetUserNameEx API. [1]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
Telemetry (Configuration Change (UX))
Telemetry showed PowerShell script block log function definition of "pslist" containing the CreateToolhelp32Snapshot API. A UX Configuration Change was made to update PowerShell script block logging truncation length. [1]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
Telemetry
Telemetry showed PowerShell script block to add the DelegateExecute subkey into the Registry. [1]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)