Home  >  APT29  >  Results  >  Palo Alto Networks  >  All Results

Palo Alto Networks: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (medium severity) was generated for rcs.3aka3.doc being tagged as malware. According to the vendor, payload execution would have been prevented as Wildfire labeled the payload as malicious/malware. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the user Pam executing the malicious document rcs.3aka3.doc file. [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. [1]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
Technique (Alert)
A Technique alert detection (low severity) was generated for rcs.3aka3.doc, identified as a screensaver process, executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection for Masquerading "(T1036​)" occurred containing evidence of of the RLO character to obfuscate payload file name​. [1]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
MSSP (Delayed (Manual))
An MSSP detection for an Uncommonly used port "(T1065)" occurred containing evidence of rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka3.doc process connecting to 192.168.0.5 on TCP port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure, though data showed rcs.3aka3.doc loading cryptographic libraries. [1]
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Technique (Alert)
A Technique alert detection was generated for a command line interface spawned from a process identified as malware with an active network connection. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for Command Line Interfaces "(T1059)" occurred containing evidence of cmd.exe spawning from rcs.3aka3.doc​. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc spawning from cmd.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
MSSP (Delayed (Manual))
An MSSP detection for Powershell "(T1086)" occurred containing evidence of powershell.exe spawning from cmd.exe. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
Technique (Alert, Correlated)
A Technique alert detection was generated for PowerShell executing suspicious File and Directory Discovery commands. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for File and Directory Discovery "(T1083)" occurred containing evidence that a discovery script was using get-childitem to search the filesystem to specific file patterns. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection for Automated Collection "(T1119)" occurred containing evidence that a discovery script was using Get-Childitem to search the filesystem to specific file patterns. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
MSSP (Delayed (Manual))
An MSSP detection for Data From Local System "(T1005)" occurred containing evidence that a discovery script was executed file read operations on local folder ​C:\Users\Pam. [1]
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious folder" was generated due identifying Draft.zip as compressed. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection for Data Compressed "(T1002)" occurred containing evidence that the files "C:\Users\pam\Links\Downloads.lnk, C:\Users\pam\Links\Desktop.lnk, C:\Users\pam\Favorites\Bing.url, and C:\Users\pam\Desktop\Microsoft Edge.lnk" were compressed into a zip file draft.zip. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe compressing via Compress-Archive. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
MSSP (Delayed (Manual))
An MSSP detection for Data Staged "(T1074)" occurred containing evidence that there was a compressed zip file created named Draft.zip. [1]
Telemetry (Correlated)
Telemetry showed the creation of Draft.Zip. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
MSSP (Delayed (Manual))
An MSSP detection for Exfiltration Over Command and Control Channel "(T1041)" occurred containing evidence that "After the zip file is created, it’s read by ​cod.3aka3.scr... the timeline view shows a C2 connection from ​nashua ​to ​192.168.0.5,​ in which cod.3aka3.scr s​ent 319,936 Bytes." [1]
Telemetry (Correlated)
Telemetry showed file read event for Draft.zip and an existing C2 channel (192.168.0.5 over port 1234). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
An MSSP detection for Remote File Copy "(T1105)" occurred containing evidence that cod.3aka3.scr​ has downloaded and wrote a file named​ monkey.png​ to ​C:\Users\pam\Downloads. [1]
Telemetry (Correlated)
Telemetry showed rcs.3aka3.doc creating monkey.png. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
MSSP (Delayed (Manual))
An MSSP detection for "Obfuscated Files or Information" occurred containing evidence of the PowerShell script contained within monkey.png. [1]
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
General (Alert, Correlated)
A General alert detection was generated identifying the Registry modification as a malware behavior threat. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of addition of DelegateExecute ​subkey. [1] [2]
Telemetry (Correlated)
Telemetry showed the addition of the DelegateExecute Registry Value. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Alert)
A Technique alert detection (red indicator) was generated for for "Bypass User Account Control VIA registry hijack T1088" for control.exe creating a high integrity powershell.exe. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "UAC bypass (T1088)" occurred for a new high hntegrity PowerShell callback spawning from control.exe​​. [1]
Telemetry
Telemetry showed control.exe creating a high integrity powershell.exe. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
MSSP (Delayed (Manual))
An MSSP detection for Commonly Used Port was generated containing evidence monkey.png performed C&C over port 443 to IP address 192.168.0.5. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe connecting to 192.168.0.5 on TCP port 443. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
None
No detection capability demonstrated for this procedure.
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
MSSP (Delayed (Manual))
An MSSP detection for Modify Registry "(T1070)" occurred for the Deletion of the registry value. [1]
Telemetry (Correlated)
Telemetry showed the deletion of the command subkey. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
General (Alert, Correlated)
A General alert detection was generated for the creation of a file identified as compressed. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for Remote File Copy "(T1105)" was received. The alert stated the privileged Powershell.exe created a zip file named SysInternalsSuite.zip in the Downloads folder. [1]
Telemetry (Correlated)
Telemetry showed the file write of the ZIP by PowerShell. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of a new interactive session of PowerShell being created. [1] [2]
Telemetry (Correlated)
Telemetry showed a new powershell.exe spawning from powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe decompressing SysinternalsSuite.zip via Expand-Archive. [1]
Telemetry (Correlated)
Telemetry showed PowerShell decompressing the ZIP via Expand-Archive and the corresponding file writes. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Get-Process. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-Process. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting ?cod.3aka.scr. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting Draft.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip. [1]
Telemetry (Correlated)
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:TEMP. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERNAME. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:COMPUTERNAME. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
Telemetry (Correlated)
Telemetry showed powershell.exe executing $env:USERDOMAIN. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
Telemetry
Telemetry showed powershell.exe executing $PID. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Gwmi Win32_OperatingSystem. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
Technique (Alert)
A Technique alert detection (high severity) was generated for PowerShell performing suspicious Security Software Discovery. [1] [2]
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-WmiObject...​ -Class AntiVirusProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell querying information about the system via querying WMI and built-in PowerShell functions. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-WmiObject...​ -Class FireWallProduct. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe executing the NetUserGetGroups API. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing the NetUserGetGroups API. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed the NetUserGetGroups API function loaded into PowerShell from Netapi32.dll. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
Telemetry (Correlated)
Telemetry showed powershell.exe executing the NetUserGetLocalGroups API. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
Telemetry (Correlated)
Telemetry showed Netapi32.dll loaded into powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Telemetry (Correlated)
Telemetry showed PowerShell created the new service javamtsup. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2] [3] [4] [5]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique (Correlated, Alert)
A Technique alert detection (red indicator) called "registry run key or file in start up folder created - T1060" was generated due to powershell.exe creating the hostui.lnk file. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred for the creation of the hostui.lnk file in the Startup folder. [1]
Telemetry (Correlated)
Telemetry showed a file create event for hostui.lnk in the Startup folder. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for "Browser login data access by non-browser process" was generated when accesschk.exe accessed the Chrome database file for credentials. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for accesschk.exe reading the Chrome database file for credentials. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe reading the Chrome database file for credentials. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "Windows process masquerading by an unsigned process" was generated when accesschk.exe was identified as an unsigned executable and the hash did not match the valid accesschk.exe hash. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred indicating that accesschk.exe is not the legitimate Sysinternals tool. [1]
Telemetry (Correlated)
Telemetry showed accesschk.exe is not a signed Microsoft binary with hash values provided. This can be used to verify it is not the legitimate Sysinternals tool. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "New certificate file has been created" was generated for the file creation event of the lotu40lg.b0j.pfx file. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated for the creation of the $RandomFileName.pfx file. [1]
Telemetry (Correlated)
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Delayed (Processing), Alert)
A Technique alert detection (red indicator) called "Credentials in Registry" was generated due to a group owner child process querying the User SAM registry keys. Detection incurred a delay based on additional data processing to generate the behavioral threat. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Mimikatz" was received that described PowerShell dumping credentials from LSASS process memory. [1] [2]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
Technique (Alert)
A Technique alert detection called "Screen Capture - T1056" was generated for powershell.exe making the GdiBitBlt API call. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing performing a Screen Capture. [1]
Telemetry
Telemetry showed powershell.exe executing CopyFromScreen from System.Drawing.dll. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
Technique (Alert)
A Technique alert detection called "clipboard data accessed" was generated due to the use of getclipboarddata API. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of PowerShell capturing clipboard data. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Clipboard. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
Technique (Alert)
A Technique alert detection called "Input Capture" was generated due to powershell.exe making the GetAsyncKeyState API call. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of key logging. [1]
Telemetry
Telemetry showed PowerShell calling the GetAsyncKeyState API. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe accessing files from C:\Users\pam\Downloads. [1]
Telemetry (Correlated)
Telemetry showed Powershell.exe reading files from C:\Users\pam\Downloads. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) called "Scripting engine creates compressed file under suspicious location" was generated for the file creation event of a .7z file in %APPDATA%. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of the file create of OfficeSupplies.7z. [1]
Telemetry (Correlated)
Telemetry showed the file create event for OfficeSupplies.7z. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
None
No detection capability demonstrated for this procedure.
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
General (Correlated, Alert)
A General alert detection (red indicator) called "File being written to remote path" was generated for the file OfficeSupplies.7z being written a WebDav share at 192.168.0.4. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of OfficeSupplies.7z being copied over the network via WebDav to 192.168.0.4. [1]
Telemetry (Correlated)
Telemetry showed PowerShell creating OfficeSupplies.7z on a remote adversary WebDav network share (192.168.0.4). The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
Telemetry (Correlated)
Telemetry showed powershell.exe establishing a connection to NewYork (10.0.0.4) over port 389. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
MSSP (Delayed (Manual))
An MSSP detection occurred for the WinRM connection to remote host Scranton (10.0.1.4) over port 5985. [1]
Telemetry (Correlated)
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from a temporary folder. [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
Technique (Alert)
A Technique alert detection (red indicator) called "Process Discovery with PowerShell" was generated due to powershell.exe executing Get-Process. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection occurred for powershell.exe executing Get-Process. [1]
Telemetry
Telemetry showed powershell.exe executing Get-Process. [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Technique (Correlated, Alert)
A Technique alert detection (red indicator) called “Executable copied to remote host via $ share” was generated for python.exe being copied from Nashua to Scranton. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
Technique (Alert)
A Technique alert detection (red indicator) called "Remote File Copy" was generated for python.exe being copied Scranton (10.0.1.4). [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of remote file copy of python.exe to Scranton (10.0.1.4). [1]
Telemetry (Correlated)
Telemetry showed the file create event of python.exe.
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique (Alert)
A Technique alert detection (red indicator) for "Software Packing - T1045" was generated for the file creation event for python.exe. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence of observed UPX packing on a Python payload. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
None
No detection capability demonstrated for this procedure.
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Technique (Alert)
A Technique alert detection for network share access was generated due to remote access to a Windows admin share. [1] [2]
Technique (Alert, Correlated)
A Technique alert detection was generated for an executable being copied to a remote host via a share. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445. [1]
Telemetry (Correlated)
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over port 135. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection called "Service Execution Start service T1050" was generated due to psexec.exe spawning python.exe. [1]
General (Alert)
A General alert detection (low severity) was generated due to an unsigned process running from a temporary directory. [1]
General (Alert, Correlated)
A General alert detection (red indicator) for "Lateral Movement" was generated due to PSEXE64.exe execution with plain-text credentials from Nashua as the user Pam. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
General (Alert, Correlated)
A General alert detection was generated for PSEXESVC.exe being copied to a remote host. The detection was correlated to a parent alert for the rcs.3aka3.doc screensaver process executing from users or temporary folder. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of python.exe being spawned by PSEXESVC.exe. [1]
Telemetry
Telemetry showed python.exe spawned by PSEXESVC.exe and originated from a RPC call originating on the remote host Nashua (10.0.1.6). [1] [2]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
General (Correlated, Alert)
A General alert detection (red indicator) was generated for python.exe writing rar.exe to C:\Windows\Temp. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for python.exe creating rar.exe. [1]
Telemetry (Correlated)
Telemetry showed a file write event for python.exe creating rar.exe from a named pipe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1] [2]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
MSSP (Delayed (Manual))
A MSSP detection occurred for python.exe creating sdelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed File Write/Create events for python.exe creating sdelete64.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
MSSP (Delayed (Manual))
An MSSP detection contained evidence of python spawning powershell.exe. [1] [2]
Telemetry (Correlated)
Telemetry showed python.exe executing powershell.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection occurred for PowerShell looking for certain files in a directory. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection for Automated Collection "(T1119)" occurred containing evidence that a discovery script was using get-childitem to search the filesystem to specific file patterns. [1] [2]
Telemetry (Correlated)
Telemetry showed powershell.exe executing Get-ChildItem. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
MSSP (Delayed (Manual))
A MSSP detection occurred for powershell.exe reading files in C:\Users\Pam. [1]
Telemetry (Correlated)
Telemetry showed file reads of C:\Users\Pam\*. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Tactic (Correlated, Alert)
A Tactic alert detection called "Collection" was generated due to working.zip file creation in %APPDATA%\roaming folder. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of the creation of working.zip. [1]
Telemetry (Correlated)
Telemetry showed the file create of working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1] [2]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection contained evidence of execution of rar.exe with command line arguments to encrypt working.zip. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique (Alert, Correlated)
A Technique alert detection (red indicator) for "Scripting engine creates compressed file under suspicious folder" was generated when rar.exe was used to create an compressed zip archive in %APPDATA%. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of execution of rar.exe with command line arguments to compress working.zip. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe executing rar.exe with command-line arguments. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
Telemetry (Correlated)
Telemetry showed file read event for working.zip and an existing C2 channel (192.168.0.4 over port 8443). The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1] [2]
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection contained evidence of the deletion of Rar.exe by SDelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete rar.exe. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "file deletion T1107" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of the deletion of Desktop\working.zip by SDelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed file delete event for sdelete64.exe deleting Desktop\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
MSSP (Delayed (Manual))
An MSSP detection contained evidence of the deletion of roaming\working.zip by SDelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed sdelete64.exe with command-line arguments to delete Roaming\working.zip. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
Technique (Alert)
A Technique alert detection called "file deletion T1107" was generated when cmd.exe deleted sdelete.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection contained evidence of the deletion of SDelete64.exe. [1]
Telemetry (Correlated)
Telemetry showed cmd.exe deleting sdelete64.exe and file deletion event. The detection was correlated to a parent alert for an unsigned process running from a temporary directory. [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
MSSP (Delayed (Manual))
An MSSP detection occurred for hostui.lnk executing from Startup Folder. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing with the explorer.exe token via the CreateProcessWithToken API. [1]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Technique (Alert)
A Technique alert detection (red indicator) for "Access Token Manipulation" was generated for thread impersonation. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing with the explorer.exe token via the CreateProcessWithToken API. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection (red indicator) was generated for a suspicious Powershell process being spawned by explorer.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection was generated containing evidence user Oscar executed 37486-the-shockingtruth-about-election-rigging-in-america.rtf.lnk. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
MSSP (Delayed (Manual))
An MSSP detection contained evidence of PowerShell executing schemas ADS via Get-Content and IEX. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
Technique (Alert)
A Technique alert detection called "System Information Discovery" was generated for a PowerShell gwmi query for Win32_BIOS. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of execution of an WMI query for Win32_BIOS. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_BIOS. Though no image was captured, MITRE confirmed that the vendor has the capability to show available telemetry in a separate view.
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
Technique (Alert)
A Technique alert detection called "System Information Discovery" was generated for a PowerShell gwmi query for Win32_BIOS. [1]
Tactic (Alert)
A Tactic alert detection called WMI virtualization sandbox discovery was generated for a PowerShell gwmi query for Win32_ComputerSystem. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of execution of WMI queries for Win32_BIOS and Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi queries for Win32_BIOS and Win32_ComputerSystem. [1]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence execution of an WMI query for Win32_PnPEntity. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_PnPEntity. [1]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
Tactic (Alert)
A Tactic alert detection called WMI virtualization sandbox discovery was generated for a PowerShell gwmi query for Win32_ComputerSystem. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of execution of an WMI query for Win32_ComputerSystem. [1]
Telemetry
Telemetry showed the PowerShell gwmi query for Win32_ComputerSystem. [1]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
Tactic (Alert)