Home  >  APT29  >  Results  >  Symantec  >  All Results

Symantec: All Results Tactic Page Information

The ATT&CK All Results page displays the procedures, tested techniques, and detection results for all steps in an evaluation. The Procedure column contains a description of how the technique in the corresponding technique column was tested. The Step column is where in the operational flow the procedure occurred. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by Screenshots. The Operational Flow panel provides the context around when a procedure was executed by showing all steps of the evaluation, including the tactics, techniques and procedures of the executed steps.

Vendor Configuration    

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.
Overview Matrix JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Step
Procedures Criteria
Technique
Detection Type Detection Notes
1.A.1
User Pam executed payload rcs.3aka3.doc The rcs.3aka3.doc process spawning from explorer.exe
User Execution
(T1204)
General (Alert)
A General alert detection was generated for "malicious file ???.cod.3aka3.scr with heuristic signature SONAR.ProcHijack!g31". [1]
Telemetry
Telemetry showed explorer.exe executing rcs.3aka3.doc. Vendor stated a protection capability would have blocked execution of the malicious file. [1] [2]
1.A.2
Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr) Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process ​OR the original filename (cod.3aka.scr)
Masquerading
(T1036)
General
A General detection was generated for "Suspicious File Detected rcs.3aka3.doc" due to machine learning identifying the payload as a PE32 executable and analyzing it. [1]
Telemetry
Telemetry showed original filename of cod.3aka.scr and it was a Windows PE file. [1] [2]
1.A.3
Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234 Established network channel over port 1234
Uncommonly Used Port
(T1065)
General (Alert)
A General alert detection for "Attack, Backdoor" was generated when rcs.3aka3.doc connected to 192.168.0.5 on port 1234. [1]
Telemetry
Telemetry showed the rcs.3aka.doc connected to 192.168.0.5 on port 1234. [1]
1.A.4
Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
None
No detection capability demonstrated for this procedure.
1.B.1
Spawned interactive cmd.exe cmd.exe spawning from the rcs.3aka3.doc​ process
Command-Line Interface
(T1059)
Telemetry
Telemetry showed rcs.3aka3.doc executing cmd.exe. [1]
1.B.2
Spawned interactive powershell.exe powershell.exe spawning from cmd.exe
PowerShell
(T1086)
Technique (Correlated)
A Technique detection for "PowerShell" was generated when cmd.exe spawned powershell.exe. The event was correlated to a parent detection cod.3aka.scr as a suspicious file. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "PowerShell" was received that included a description of the PowerShell commands executed by the adversary. [1]
Telemetry (Correlated)
Telemetry showed powershell.exe spawning from cmd.exe. The telemetry was correlated to a parent detection cod.3aka.scr as a suspicious file. [1] [2]
2.A.1
Searched filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "Data from Local System" contained evidence of PowerShell executing ChildItem. [1]
Telemetry
Telemetry showed PowerShell execution of ChildItem. [1]
2.A.2
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection for "Data from Local System" contained evidence of PowerShell executing ChildItem. [1]
Telemetry
Telemetry showed PowerShell execution of ChildItem. [1]
2.A.3
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
2.A.4
Compressed and stored files into ZIP (Draft.zip) using PowerShell powershell.exe executing Compress-Archive
Data Compressed
(T1002)
Technique (Correlated)
A Technique detection for "Data Compressed" was generated when Draft.zip was identified as compressed. The event was correlated to a parent detection cod.3aka.scr as a malicious file. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Data Compressed "was received that included an explanation of the PowerShell script used to compress files and store the results in Draft.zip. [1]
Telemetry
Telemetry showed powershell.exe compressing via Compress-Archive. [1]
2.A.5
Staged files for exfiltration into ZIP (Draft.zip) using PowerShell powershell.exe creating the file draft.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed the creation of Draft.Zip. The telemetry was correlated to a parent detection cod.3aka.scr as a suspicious file. [1]
2.B.1
Read and downloaded ZIP (Draft.zip) over C2 channel (192.168.0.5 over TCP port 1234) The rcs.3aka3.doc process reading the file draft.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
3.A.1
Dropped stage 2 payload (monkey.png) to disk The rcs.3aka3.doc process creating the file monkey.png
Remote File Copy
(T1105)
Telemetry (Delayed (Manual))
Telemetry showed rcs.3aka3.doc creating monkey.png, with the file path reversed due to the Unicode right-to-left override character. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
3.A.2
Embedded PowerShell payload in monkey.png using steganography Evidence that a PowerShell payload was within monkey.png
Obfuscated Files or Information
(T1027)
Technique (Alert, Delayed (Processing), Correlated)
A Technique alert detection for Obfuscated Files or Information was generated for PowerShell extracting and executing the code embedded within monkey.png. The telemetry was correlated to a parent detection cod.3aka.scr as a suspicious file. Detection incurred a delay based on machine learning processing. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Data Obfuscation" occurred containing evidence of the PowerShell script contained within monkey.png. [1]
Telemetry (Correlated)
Telemetry showed PowerShell extracting and executing the code embedded within monkey.png. The telemetry was correlated to a parent detection cod.3aka.scr as a suspicious file. [1]
3.B.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute ​subkey in ​HKCU\Software\Classes\Folder\shell\open\​​command​​
Component Object Model Hijacking
(T1122)
Telemetry (Delayed (Manual))
Telemetry showed the addition of the DelegateExecute Registry Value. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
3.B.2
Executed elevated PowerShell payload High integrity powershell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Telemetry
Telemetry showed control.exe creating a high integrity powershell.exe. [1] [2]
3.B.3
Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443 Established network channel over port 443
Commonly Used Port
(T1043)
General (Alert)
A General alert detection for "Attack, Backdoor" was generated when PowerShell connected to 192.168.0.5 on port 443. [1]
Telemetry
Telemetry showed powershell.exe connecting to 192.168.0.5 on port 443. [1]
3.B.4
Used HTTPS to transport C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is HTTPS
Standard Application Layer Protocol
(T1071)
General (Alert)
A General alert detection for "Attack, Backdoor" was generated when PowerShell process exchanged data with 192.168.0.5 over HTTPS due to network traffic analysis. [1]
Telemetry
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
3.B.5
Used HTTPS to encrypt C2 (192.168.0.5) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
General (Alert)
A General alert detection for "Attack, Backdoor" was generated when PowerShell process exchanged data with 192.168.0.5 over HTTPS due to network traffic analysis. [1]
Telemetry
Telemetry showed PowerShell process exchanging data with 192.168.0.5 over HTTPS. [1]
3.C.1
Modified the Registry to remove artifacts of COM hijacking Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)
Telemetry (Delayed (Manual))
Telemetry showed the deletion of the command subkey. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
4.A.1
Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5) powershell.exe creating the file SysinternalsSuite.zip
Remote File Copy
(T1105)
Telemetry
Telemetry showed the file write of the ZIP by PowerShell. [1] [2]
4.A.2
Spawned interactive powershell.exe powershell.exe spawning from powershell.exe
PowerShell
(T1086)
Technique
A Technique detection for "PowerShell" was generated when powershell.exe spawned powershell.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of a new powershell.exe spawning from powershell.exe. [1]
4.A.3
Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell powershell.exe executing Expand-Archive
Deobfuscate/Decode Files or Information
(T1140)
General (Alert)
A General alert detection was generated for "PowerShell created a suspicious file" on PowerShell writing the files that were decompressed from the ZIP. [1]
Telemetry
Telemetry showed PowerShell writing the files that were decompressed from the ZIP. [1]
4.B.1
Enumerated current running processes using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of powershell.exe executing Get-Process. [1] [2]
4.B.2
Deleted rcs.3aka3.doc on disk using SDelete sdelete64.exe deleting the file rcs.3aka3.doc
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete rcs.3aka3.doc. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" occurred containing evidence of sdelete64.exe deleting rcs.3aka3.doc. [1] [2]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1] [2] [3]
4.B.3
Deleted Draft.zip on disk using SDelete sdelete64.exe deleting the file draft.zip
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\Draft.Zip. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" occurred containing evidence of sdelete64.exe deleting Draft.Zip. [1] [2]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1] [2]
4.B.4
Deleted SysinternalsSuite.zip on disk using SDelete sdelete64.exe deleting the file SysinternalsSuite.zip
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete SysinternalsSuite.zip. [1]
MSSP (Delayed (Manual))
An MSSP detection for "File Deletion" occurred containing evidence of sdelete64.exe deleting SysinternalsSuite.zip. [1] [2]
Telemetry
Telemetry showed sdelete.exe running with command-line arguments to delete the file and the subsequent file rename and delete events. [1] [2]
4.C.1
Enumerated user's temporary directory path using PowerShell powershell.exe executing $env:TEMP
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
A MSSP detection for "File and Directory Discovery" was received that included details about a PowerShell script used for Discovery and mentioned that it collected the TempDirectory. [1] [2] [3]
4.C.2
Enumerated the current username using PowerShell powershell.exe executing $env:USERNAME
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
A MSSP detection for "System Owner/User Discovery" was received that included details about a PowerShell script used for Discovery and mentioned that it collected the User Name. [1] [2] [3]
4.C.3
Enumerated the computer hostname using PowerShell powershell.exe executing $env:COMPUTERNAME
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
A MSSP detection for "System Information Discovery" was received that included details about a PowerShell script used for Discovery and mentioned that it collected the Computer Name. [1] [2] [3]
4.C.4
Enumerated the current domain name using PowerShell powershell.exe executing $env:USERDOMAIN
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
A MSSP detection was received that included details about a PowerShell script used for Discovery and mentioned that it collected the user's domain name. [1] [2] [3]
4.C.5
Enumerated the current process ID using PowerShell powershell.exe executing $PID
Process Discovery
(T1057)
MSSP (Delayed (Manual))
A MSSP detection was received that included details about a PowerShell script used for Discovery and mentioned that it collected the current PID. [1] [2] [3]
4.C.6
Enumerated the OS version using PowerShell powershell.exe executing​ Gwmi Win32_OperatingSystem
System Information Discovery
(T1082)
None
No detection capability demonstrated for this procedure.
4.C.7
Enumerated anti-virus software using PowerShell powershell.exe executing​ Get-WmiObject ...​ -Class AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection was received that included details about a PowerShell script used for Discovery and mentioned that it collected information about installed antivirus and firewall products. [1] [2] [3]
4.C.8
Enumerated firewall software using PowerShell powershell.exe executing Get-WmiObject ...​​ -Class FireWallProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
A MSSP detection was received that included details about a PowerShell script used for Discovery and mentioned that it collected information about installed antivirus and firewall products. [1] [2] [3]
4.C.9
Enumerated user's domain group membership via the NetUserGetGroups API powershell.exe executing the NetUserGetGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
A MSSP detection for "Permissions Groups Discovery" was received that included details about a PowerShell script used for Discovery and mentioned that it collected a list of global groups. [1] [2] [3]
4.C.10
Executed API call by reflectively loading Netapi32.dll The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
4.C.11
Enumerated user's local group membership via the NetUserGetLocalGroups API powershell.exe executing the NetUserGetLocalGroups API
Permission Groups Discovery
(T1069)
MSSP (Delayed (Manual))
A MSSP detection for "Permissions Groups Discovery" was received that included details about a PowerShell script used for Discovery and mentioned that it collected a list of local groups. [1] [2] [3]
4.C.12
Executed API call by reflectively loading Netapi32.dll The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure.
5.A.1
Created a new service (javamtsup) that executes a service binary (javamtsup.exe) at system startup powershell.exe creating the Javamtsup service
New Service
(T1050)
Technique
A Technique detection for "New Service" was generated due to services.exe creating javamtsup. [1]
Telemetry
Telemetry showed a registry event for the creation of javamtsup service. [1]
5.B.1
Created a LNK file (hostui.lnk) in the Startup folder that executes on login powershell.exe creating the file hostui.lnk in the Startup folder
Registry Run Keys / Startup Folder
(T1060)
Technique
A Technique detection for "Registry Run Keys / Startup Folder" was generated due to powershell.exe creating the hostui.lnk file. [1]
Telemetry
Telemetry showed creation of hostui.lnk in the Startup folder. [1]
6.A.1
Read the Chrome SQL database file to extract encrypted credentials accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
Credentials in Files
(T1081)
None
No detection capability demonstrated for this procedure.
6.A.2
Executed the CryptUnprotectedData API call to decrypt Chrome passwords accesschk.exe executing the CryptUnprotectedData API
Credential Dumping
(T1003)
None
No detection capability demonstrated for this procedure.
6.A.3
Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Evidence that accesschk.exe is not the legitimate Sysinternals tool
Masquerading
(T1036)
General (Alert)
A General alert detection was generated for "Potential risk found" on accesschk.exe receiving a reputation report that indicated it was known to be an untrusted file with the maximum suspicion rating, which indicates it is not a legitimate Sysinternals tool. [1] [2] [3]
6.B.1
Exported a local certificate to a PFX file using PowerShell powershell.exe creating a certificate file exported from the system
Private Keys
(T1145)
MSSP (Delayed (Manual))
An MSSP detection for "Private Keys" occurred containing evidence of readme.ps1 analysis indicating Get-PrivateKeys execution writing a .pfx file. [1]
Telemetry (Delayed (Manual))
Telemetry showed file create event for a $RandomFileName.pfx file by powershell.exe. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
6.C.1
Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\
Credential Dumping
(T1003)
Technique (Alert)
A Technique alert detection for "Credential Dumping" was generated when PowerShell attempted injection into lsass. [1]
General (Alert)
A General alert detection for "Process Injection" was generated on "PowerShell injected into Microsoft signed process". [1]
Telemetry
Telemetry showed powershell.exe injecting into lsass.exe. [1]
7.A.1
Captured and saved screenshots using PowerShell powershell.exe executing the CopyFromScreen function from System.Drawing.dll
Screen Capture
(T1113)
MSSP (Delayed (Manual))
An MSSP detection for "Screen Capture" was received that included details about a PowerShell script used to collect screenshots. [1] [2] [3]
7.A.2
Captured clipboard contents using PowerShell powershell.exe executing Get-Clipboard
Clipboard Data
(T1115)
MSSP (Delayed (Manual))
An MSSP detection for "Clipboard Data" was received for PowerShell executing "Get-Clipboard" to retrieve clipboard contents. [1]
7.A.3
Captured user keystrokes using the GetAsyncKeyState API powershell.exe executing the GetAsyncKeyState API
Input Capture
(T1056)
MSSP (Delayed (Manual))
An MSSP detection for "Input Capture" occurred containing evidence of Get-Keystrokes function execution from psversion.ps1. [1]
7.B.1
Read data in the user's Downloads directory using PowerShell powershell.exe reading files in C:\Users\pam\Downloads\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
7.B.2
Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell powershell.exe creating the file OfficeSupplies.7z
Data Compressed
(T1002)
Technique
A Technique detection for "Data Compressed" was generated when powershell.exe created OfficeSupplies.7z. [1]
MSSP (Delayed (Manual))
An MSSP detection occurred for "Data Compressed" containing evidence of Invoke-Exfil function using 7-zip with password "lolol" to compressed downloads directory into OfficeSupplies.7z. [1]
Telemetry
Telemetry showed the creation of OfficeSupplies.7z. [1]
7.B.3
Encrypted data from the user's Downloads directory using PowerShell powershell.exe executing Compress-7Zip with the password argument used for encryption
Data Encrypted
(T1022)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence that data was compressed and password encrypted for exfiltration. [1] [2] [3]
7.B.4
Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell powershell executing Copy-Item pointing to an attack-controlled WebDav network share (192.168.0.4:80)
Exfiltration Over Alternative Protocol
(T1048)
MSSP (Delayed (Manual))
An MSSP detection for "Exfiltration over Alternative Protocol" occurred containing evidence of exfiltration to remote WebDav network share (192.168.0.4). [1] [2] [3]
Telemetry
Telemetry showed a .7z file creation to a remote file share. [1]
8.A.1
Enumerated remote systems using LDAP queries powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)
Remote System Discovery
(T1018)
MSSP (Delayed (Manual))
An MSSP detection for "Remote System Discovery" was received that included PowerShell commands run by the adversary and an explanation of those commands. [1]
Telemetry (Delayed (Manual))
Telemetry showed powershell.exe establishing a connection identified as LDAP over port 389 to NewYork (10.0.0.4). The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
8.A.2
Established WinRM connection to remote host Scranton (10.0.1.4) Network connection to Scranton (10.0.1.4) over port 5985
Windows Remote Management
(T1028)
Telemetry (Delayed (Manual))
Telemetry showed a connection to Scranton (10.0.1.4) over port 5985 via HTTP. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
8.A.3
Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell powershell.exe executing Get-Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included PowerShell commands run by the adversary and explained that they were used to enumerate running processes on remote host Scranton (10.0.1.4). [1]
8.B.1
Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4) The file python.exe created on Scranton (10.0.1.4)
Remote File Copy
(T1105)
Technique
A Technique detection for "Remote File Copy" was generated data being sent over SMB2 to Scranton (10.0.1.4) creating a .exe file. [1]
General (Delayed (Processing), Alert)
A General alert detection for "Malicious file detected python.exe" was generated on sandbox detection evaluation of python.exe. Detection incurred a delay based on sandbox detonation processing. [1]
8.B.2
python.exe payload was packed with UPX Evidence that the file python.exe is packed
Software Packing
(T1045)
Technique
A Technique detection for "Software Packing" was generated when python.exe was executed by PSExec. [1]
Telemetry (Delayed (Processing))
Telemetry from automated file analysis showed python.exe was UPX packed. Detection incurred a delay based on additional data processing of python.exe to determine it was UPX packed. [1]
8.C.1
Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam Successful logon as user Pam on Scranton (10.0.1.4)
Valid Accounts
(T1078)
MSSP (Delayed (Manual))
An MSSP detection occurred containing evidence of a valid logon on Scranton (10.0.1.4) as user Pam. [1]
Telemetry
Telemetry showed PsExec64.exe executing python.exe with pam's login credentials on Scranton. A Kerberos ticket was generated on Scranton for pam. [1]
8.C.2
Established SMB session to remote host Scranton's (10.0.1.4) IPC$ share using PsExec SMB session to Scanton (10.0.1.4) over TCP port 445/135 OR evidence of usage of a Windows share
Windows Admin Shares
(T1077)
Telemetry
Telemetry showed an SMB session from Nashua (10.0.1.6) to Scranton (10.0.1.4) over TCP port 445. [1]
8.C.3
Executed python.exe using PSExec python.exe spawned by PSEXESVC.exe
Service Execution
(T1035)
Technique (Alert)
A Technique alert detection for "PsExec interacted with services - SONAR.PsExeSvc!gen1" was generated on PsExecSvc targeting python.exe. [1]
MSSP (Delayed (Manual))
An MSSP detection for "Service Execution" occurred containing evidence of PSEXECSVC.exe executing python.exe. [1]
Telemetry
Telemetry showed PSEXECSVC.exe executing python.exe. [1]
9.A.1
Dropped rar.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file rar.exe
Remote File Copy
(T1105)
Technique (Alert)
A Technique alert detection for "Remote File Copy - Suspicious N-Gram" was generated when python.exe connected to 192.168.0.4 port 8443 and then immediately created rar.exe. [1] [2]
Telemetry
Telemetry showed python.exe creating rar.exe. [1]
9.A.2
Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)  python.exe creating the file sdelete64.exe
Remote File Copy
(T1105)
General (Alert)
A General alert detection for "Suspicious N-Gram" was generated when python.exe connected to 192.168.0.4 port 8443 and then immediately created sdelete64.exe. [1]
Telemetry
Telemetry showed Created File event for python.exe connecting to 192.168.0.4 port 8443 and then immediately creating sdelete64.exe. [1]
9.B.1
Spawned interactive powershell.exe powershell.exe​ spawning from python.exe
PowerShell
(T1086)
Technique
A Technique detection for PowerShell was generated when python.exe spawned powershell.exe. [1] [2]
Telemetry (Correlated)
Telemetry showed python.exe executing powershell.exe. The telemetry was correlated to a parent detection python.exe as a suspicious file. [1]
9.B.2
Searched filesystem for document and media files using PowerShell powershell.exe executing (Get-)ChildItem​
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "Collection" was received that included ChildItem command execution searching for document and media files. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
9.B.3
Scripted search of filesystem for document and media files using PowerShell  powershell.exe executing (Get-)ChildItem​
Automated Collection
(T1119)
MSSP (Delayed (Manual))
An MSSP detection for "Collection" was received that included ChildItem command execution searching for document and media files. [1]
Telemetry
Telemetry showed powershell.exe executing ChildItem. [1]
9.B.4
Recursively collected files found in C:\Users\Pam\ using PowerShell powershell.exe reading files in C:\Users\Pam\
Data from Local System
(T1005)
None
No detection capability demonstrated for this procedure.
9.B.5
Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell powershell.exe creating the file working.zip
Data Staged
(T1074)
Telemetry (Correlated)
Telemetry showed a Created File event for powershell.exe creating working.zip. The event was correlated to a parent General detection for a suspicious PowerShell process. [1] [2]
9.B.6
Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe with the -a parameter for a password to use for encryption
Data Encrypted
(T1022)
Tactic
A Tactic detection for "Exfiltration" was generated when rar.exe executed with command-line arguments creating working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Data Encrypted" was received included the command used by the adversary to execute Rar.exe and explained that it was used to compress data into an encrypted ZIP file. [1] [2]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. [1]
9.B.7
Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe powershell.exe executing rar.exe
Data Compressed
(T1002)
Technique
A Technique detection for Data Compressed was generated when rar.exe created working.zip. [1]
MSSP (Delayed (Manual))
A MSSP detection for "Data Staged" was received included the command used by the adversary to execute Rar.exe and explained that it was used to compress compress data into working.zip. [1] [2]
Telemetry
Telemetry showed powershell.exe executing rar.exe with command-line arguments. [1]
9.B.8
Read and downloaded ZIP (working.zip on Desktop) over C2 channel (192.168.0.5 over TCP port 8443) python.exe reading the file working.zip while connected to the C2 channel
Exfiltration Over Command and Control Channel
(T1041)
None
No detection capability demonstrated for this procedure.
9.C.1
Deleted rar.exe on disk using SDelete sdelete64.exe deleting the file rar.exe
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete Rar.exe. [1]
Telemetry
Telemetry showed sdelete64.exe executing with command-line arguments to delete Rar.exe. [1]
9.C.2
Deleted working.zip (from Desktop) on disk using SDelete sdelete64.exe deleting the file \Desktop\working.zip
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete Desktop\working.zip. [1]
Telemetry
Telemetry showed sdelete64.exe executing with command-line arguments to delete Desktop\working.zip. [1]
9.C.3
Deleted working.zip (from AppData directory) on disk using SDelete sdelete64.exe deleting the file \AppData\Roaming\working.zip
File Deletion
(T1107)
Tactic
A Tactic detection called "Defense Evasion" was generated when sdelete64.exe with command-line arguments was used to delete Roaming\working.zip. [1]
Telemetry
Telemetry showed sdelete64.exe executing with command-line arguments to delete Roaming\working.zip. [1]
9.C.4
Deleted SDelete on disk using cmd.exe del command cmd.exe deleting the file sdelete64.exe
File Deletion
(T1107)
Telemetry (Delayed (Manual))
Telemetry showed cmd.exe deleting sdelete64.exe. Processing was triggered by human action and not initiated automatically. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
10.A.1
Executed persistent service (javamtsup) on system startup javamtsup.exe spawning from services.exe
Service Execution
(T1035)
None
No detection capability demonstrated for this procedure.
10.B.1
Executed LNK payload (hostui.lnk) in Startup Folder on user login Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder
Registry Run Keys / Startup Folder
(T1060)
None
No detection capability demonstrated for this procedure, though execution of hostui.bat was observed. [1]
10.B.2
Executed PowerShell payload via the CreateProcessWithToken API hostui.exe executing the CreateProcessWithToken API
Execution through API
(T1106)
None
No detection capability demonstrated for this procedure, though data showed svchost.exe with -seclogon flag spawning before PowerShell. [1] [2]
10.B.3
Manipulated the token of the PowerShell payload via the CreateProcessWithToken API hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe
Access Token Manipulation
(T1134)
Telemetry
Telemetry shows powershell.exe's security_descriptor obtaining the same value as explorer.exe. [1]
11.A.1
User Oscar executed payload 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk powershell.exe spawning from explorer.exe
User Execution
(T1204)
Tactic
A Tactic detection called "Execution" was generated when explorer.exe executed powershell.exe. [1]
Telemetry
Telemetry showed explorer.exe executing powershell.exe. [1]
11.A.2
Executed an alternate data stream (ADS) using PowerShell powershell.exe executing the schemas ADS via Get-Content and IEX
NTFS File Attributes
(T1096)
MSSP (Delayed (Manual))
An MSSP detection for "NTFS File Attributes" was received that included the PowerShell command used by the adversary and explained that it was used to retrieve the PowerShell script from the schemas Alternate Data Stream and execute it. [1]
Telemetry
Telemetry showed powershell.exe executing the schemas ADS with Get-Content and IEX. [1]
11.A.3
Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell powershell.exe executing a Get-WmiObject query for Win32_BIOS
Virtualization/Sandbox Evasion
(T1497)
MSSP (Delayed (Manual))
An MSSP detection for "Virtualization/Sandbox Evasion" was received that included a PowerShell command executed by the adversary and explained that it was used to query BIOS information. [1] [2]
11.A.4
Enumerated computer manufacturer, model, and version information using PowerShell powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to collect information about the local system. [1] [2]
11.A.5
Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_PnPEntity
Peripheral Device Discovery
(T1120)
MSSP (Delayed (Manual))
An MSSP detection for "Peripheral Device Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to enumerate Plug and Play devices. [1] [2]
11.A.6
Checked that the username is not related to admin or a generic value (ex: user) using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to query the system owner. [1] [2]
11.A.7
Checked that the computer is joined to a domain using PowerShell powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
An MSSP detection for "System Network Configuration Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to query the system's network configuration. [1] [2]
11.A.8
Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell powershell.exe executing a Get-WmiObject query for Win32_Process
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to enumerate running processes on the local system. [1] [2]
11.A.9
Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "File and Directory Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to perform discovery of the file and directory list from the local filesystem. [1] [2]
11.A.10
Decoded an embedded DLL payload to disk using certutil.exe certutil.exe decoding kxwn.lock
Deobfuscate/Decode Files or Information
(T1140)
Technique (Alert)
A Technique alert detection (red indicator) for "Deobfuscate/Decode Files or Information" was generated when certutil decoded data and created an executable file. [1] [2] [3]
MSSP (Delayed (Manual))
An MSSP detection for "Deobfuscate/Decode Files or Information" was received that included details on execution of certutil.exe by the adversary and explained that it was used to decode a fake certificate file into a DLL. [1] [2]
Telemetry
Telemetry showed the certutil.exe process and corresponding file write of the kxwn.lock payload. [1] [2] [3]
11.A.11
Established Registry Run key persistence using PowerShell Addition of the Webcache subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Run Keys / Startup Folder
(T1060)
Technique
A Technique detection for "Registry Run Keys / Startup Folder" was generated for powershell.exe adding Run key persistence into the Registry. [1] [2]
MSSP (Delayed (Manual))
An MSSP detection for "Registry Run Keys / Startup Folder" was received that included a PowerShell command executed by the adversary and explained that it was used to set a Registry Run Key. A detailed analysis of the malicious payload was also provided. [1]
Telemetry
Telemetry showed powershell.exe adding Run key persistence into the Registry. [1] [2]
11.A.12
Executed PowerShell stager payload powershell.exe spawning from from the schemas ADS (powershell.exe)
PowerShell
(T1086)
Technique (Alert)
A Technique alert detection (medium severity) for "Powershell" was generated for powershell.exe spawned from a PowerShell stager. [1] [2] [3] [4]
MSSP (Delayed (Manual))
An MSSP detection for "PowerShell" was received that included a PowerShell command executed by the adversary and explained that it was used to download and execute a PoshC2 stager located on a remote server. [1] [2]
Telemetry
Telemetry showed powershell.exe spawned from a PowerShell stager. [1] [2] [3] [4]
11.A.13
Established C2 channel (192.168.0.4) via PowerShell payload over port 443 Established network channel over port 443
Commonly Used Port
(T1043)
MSSP (Delayed (Manual))
An MSSP detection for "Commonly Used Port" was received that included a description of PowerShell script downloaded and executed by the adversary and explained that it was used to establish a connection to 192.168.0.4 over port 443. A detailed analysis of the script was also provided. [1] [2]
Telemetry (Delayed (Manual))
Telemetry showed powershell.exe making a network connection to the C2 (192.168.0.4) over port 443. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
11.A.14
Used HTTPS to transport C2 (192.168.0.4) traffic Established network channel over the HTTPS protocol
Standard Application Layer Protocol
(T1071)
MSSP (Delayed (Manual))
A MSSP detection for "Standard Application Layer Protocol" was received that included a description of PowerShell script downloaded and executed by the adversary and explained that it was used to establish a connection to 192.168.0.4 using HTTPS. A detailed analysis of the script was also provided. [1] [2]
Telemetry (Delayed (Manual))
Telemetry showed powershell.exe connecting and sending data to 192.168.0.4 via TLS. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
11.A.15
Used HTTPS to encrypt C2 (192.168.0.4) traffic Evidence that the network data sent over the C2 channel is encrypted
Standard Cryptographic Protocol
(T1032)
MSSP (Delayed (Manual))
An MSSP detection for "Standard Application Layer Protocol" was received that included a description of PowerShell script downloaded and executed by the adversary and explained that it was used to establish a connection to 192.168.0.4 using HTTPS. A detailed analysis of the script was also provided. [1] [2]
Telemetry (Delayed (Manual))
Telemetry showed powershell.exe connecting and sending data to 192.168.0.4 via TLS. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
12.A.1
Enumerated the System32 directory using PowerShell powershell.exe executing (gci ((gci env:windir).Value + '\system32')
File and Directory Discovery
(T1083)
MSSP (Delayed (Manual))
An MSSP detection for "File and Directory Discovery" was received that noted a PowerShell command was used to find a random file in the System32 folder. [1] [2]
12.A.2
Modified the time attributes of the kxwn.lock persistence payload using PowerShell powershell.exe modifying the creation, last access, and last write times of kxwn.lock
Timestomp
(T1099)
MSSP (Delayed (Manual))
An MSSP detection for "Timestomp" occurred containing evidence of timestamp modifications of kxwn.lock. [1] [2]
Telemetry (Delayed (Manual))
Telemetry showed powershell.exe setting the file attributes of kxwn.lock. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
12.B.1
Enumerated registered AV products using PowerShell powershell.exe executing a Get-WmiObject query for AntiVirusProduct
Security Software Discovery
(T1063)
MSSP (Delayed (Manual))
An MSSP detection for "Security Software Discovery" was occurred containing evidence WMI was used to enumerate installed AntiVirus products. [1]
12.C.1
Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
MSSP (Delayed (Manual))
An MSSP detection for "Query Registry" occurred that containing registry query for installed software. [1] [2]
12.C.2
Enumerated installed software via the Registry (Uninstall key) using PowerShell powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Query Registry
(T1012)
MSSP (Delayed (Manual))
An MSSP detection for "Query Registry" occurred that containing registry query for installed software. [1] [2]
13.A.1
Enumerated the computer name using the GetComputerNameEx API powershell.exe executing the GetComputerNameEx API
System Information Discovery
(T1082)
MSSP (Delayed (Manual))
An MSSP detection for "System Information Discovery" occurred containg evidence of PowerShell calling the GetComputerNameEx API. [1] [2]
13.B.1
Enumerated the domain name using the NetWkstaGetInfo API powershell.exe executing the NetWkstaGetInfo API
System Network Configuration Discovery
(T1016)
MSSP (Delayed (Manual))
An MSSP detection for "System Network Configuration Discovery" occurred containing evidence of PowerShell calling the NetWkstaGetInfo API. [1] [2]
13.C.1
Enumerated the current username using the GetUserNameEx API powershell.exe executing the GetUserNameEx API
System Owner/User Discovery
(T1033)
MSSP (Delayed (Manual))
An MSSP detection for "System Owner/User Discovery" was received that included a PowerShell command executed by the adversary and explained that it was used to obtain the username. [1] [2]
13.D.1
Enumerated running processes using the CreateToolhelp32Snapshot API powershell.exe executing the CreateToolhelp32Snapshot API
Process Discovery
(T1057)
MSSP (Delayed (Manual))
An MSSP detection for "Process Discovery" occurred containing evidence of an executed PowerShell command used to enumerate running processes on the local machine. [1] [2]
14.A.1
Modified the Registry to enable COM hijacking of sdclt.exe using PowerShell Addition of the DelegateExecute subkey in HKCU\Software\Classes\Folder\shell\open\command
Component Object Model Hijacking
(T1122)
Telemetry (Delayed (Manual))
Telemetry showed the addition of the DelegateExecute Registry value. The telemetry was acquired by manually initiating an export of endpoint-stored event data that was not automatically sent to the analysis system, which caused this detection to receive Delayed (Manual). [1]
14.A.2
Executed elevated PowerShell payload High integrity powrshell.exe spawning from control.exe​​ (spawned from sdclt.exe)
Bypass User Account Control
(T1088)
Technique (Correlated, Alert)
A Technique alert detection for "UAC Bypass" was generated when the setting of registry values associated with COM Hijacking was followed by execution of a program known to be associated with UAC bypasses. The event was correlated to a parent Tactic detection called "Execution" that was generated when explorer.exe executed powershell.exe. [1] [2]
Telemetry
Telemetry showed a new High Integrity PowerShell callback spawned from control.exe (spawned from sdclt.exe). [1]
14.A.3
Modified the Registry to remove artifacts of COM hijacking using PowerShell Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey
Modify Registry
(T1112)