|
|
|
Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
|
User Execution
(T1204)
|
|
Telemetry (Tainted)
|
 
|
|
|
Telemetry showed that Resume Viewer.exe was executed. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
|
Rundll32
(T1085)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed that cmd.exe created the rundll32.exe process that started update.dat. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
|
Scripting
(T1064)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed that Resume Viewer.exe created cmd.exe, which ran the script pdfhelper.cmd. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
|
|
|
|
|
|
Cobalt Strike: C2 channel established using port 53
|
Commonly Used Port
(T1043)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though DNS requests were observed (no detection showed port 53 specifically).
|
|
|
|
|
Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
|
|
|
Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
|
Data Encoding
(T1132)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though the capability identified DNS queries (no detection showed data encoding specifically).
|
|
|
|
|
|
|
|
Cobalt Strike: 'ipconfig -all' via cmd
|
System Network Configuration Discovery
(T1016)
|
|
Enrichment (Configuration Change, Tainted)
|
 
|
|
|
The capability showed cmd.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'arp -a' via cmd
|
|
|
|
|
|
Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
|
System Owner/User Discovery
(T1033)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing echo with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
|
|
|
Cobalt Strike: 'tasklist -v' via cmd
|
Process Discovery
(T1057)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing tasklist.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'sc query' via cmd
|
System Service Discovery
(T1007)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing sc.exe with command-line arguments and enriched the command with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net start' via cmd
|
System Service Discovery
(T1007)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'systeminfo' via cmd
|
System Information Discovery
(T1082)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing systeminfo.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net config workstation' via cmd
|
System Information Discovery
(T1082)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net localgroup administrators' via cmd
|
Permission Groups Discovery
(T1069)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net localgroup administrators -domain' via cmd
|
Permission Groups Discovery
(T1069)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
|
Permission Groups Discovery
(T1069)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net user -domain' via cmd
|
Account Discovery
(T1087)
|
|
Enrichment (Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net user george -domain' via cmd
|
Account Discovery
(T1087)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
|
Query Registry
(T1012)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
|
|
|
Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
|
|
|
|
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
|
|
|
Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
|
Process Injection
(T1055)
|
|
Specific Behavior (Tainted)
|
|
|
|
A Specific Behavior alert was generated based on DLL injection for powershell.exe injecting into cmd.exe. The detection was labeled with Process Hijacking and Privilege Escalation and tainted by the parent "Powershell process created" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
|
Remote System Discovery
(T1018)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
|
Remote System Discovery
(T1018)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe executing net.exe with command-line arguments and enriched the command with the condition Net Group Reconnaissance Command. The enrichment was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
|
|
|
|
|
|
Cobalt Strike: 'netstat -ano' via cmd
|
System Network Connections Discovery
(T1049)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing netstat.exe with command-line arguments. The telemetry was tainted by the parent "Powershell Execution Policy ByPass command ran" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: Built-in Mimikatz credential dump capability executed
|
Credential Dumping
(T1003)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though a DDNA Scan alerted for svchost.exe and displayed details related to Project Injection.
[1]
[2]
[3]
|
|
|
|
|
Cobalt Strike: Credential dump capability involved process injection into lsass
|
Process Injection
(T1055)
|
|
General Behavior
|
|
|
|
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. DDNA scan results showed that svchost.exe "appeared to inject code into another process."
[1]
[2]
[3]
|
|
|
|
|
|
|
|
Cobalt Strike: Built-in hash dump capability executed
|
Credential Dumping
(T1003)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed a thread create within lsass.exe from svchost.exe, which could be indicative of credential dumping. The telemetry was tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.
[1]
|
|
|
|
|
Cobalt Strike: Hash dump capability involved process injection into lsass.exe
|
Process Injection
(T1055)
|
|
Specific Behavior (Tainted)
|
|
|
|
A Specific Behavior alert was generated for process hijacking based on a thread create within lsass.exe from svchost.exe (tainted by the parent "Powershell process created" and "Policy Remote Process Compromise" alerts.)
[1]
[2]
[3]
|
|
|
General Behavior
|
|
|
|
A General Behavior alert was generated when a DDNA Scan alerted for svchost.exe. The DDNA scan results showed that svchost.exe "appeared to inject code into another process."
[1]
[2]
[3]
|
|
|
|
|
|
|
|
Cobalt Strike: Built-in token theft capability executed to change user context to George
|
|
|
|
|
|
Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
|
Query Registry
(T1012)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed cmd.exe executing reg.exe with command-line arguments. Telemetry also showed that two PIPEs were created as a result of reg.exe execution. The telemetry was tainted by the parent "Powershell process created" alert.
[1]
[2]
|
|
|
|
|
|
|
|
Cobalt Strike: C2 channel modified to use port 80
|
Commonly Used Port
(T1043)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed an outbound network connection from rundll32.exe to 192.168.0.4 (C2 server) over TCP port 80. The telemetry was tainted by the parent "Sponsor Process Established Network Connection" alert.
[1]
|
|
|
|
|
Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
|
|
|
Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
|
Multiband Communication
(T1026)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed C2 traffic was over TCP port 80 as well as earlier traffic over DNS, which could indicate multiband communication. The HTTP telemetry over TCP port 80 was tainted by the parent "Sponsor Process Established Network Connection" alert.
[1]
[2]
|
|
|
|
|
|
|
|
Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)
|
Remote Desktop Protocol
(T1076)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed cmd.exe creating an outbound TCP port 3389 (RDP) connection from Nimda and enriched the connection with the conditions Lateral Movement and Remote Share Access. The enrichment was tainted by the parent \"Windows command prompt invoked\" alert.
[1]
[2]
|
|
|
Telemetry
|
|
|
|
Telemetry also identified an inbound connection to Conficker over TCP port 3389.
[1]
[2]
|
|
|
|
|
|
|
|
Added user Jesse to Conficker (10.0.0.5) through RDP connection
|
Create Account
(T1136)
|
|
Specific Behavior (Configuration Change)
|
|
|
|
A Specific Behavior alert named "New user account created" was generated based on the Registry change identifying that the new user Jesse was created. A child event of the alert indicated that the account had been added to the local admins group (but did not identify the account creation specifically).
[1]
[2]
|
|
|
|
|
Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection
|
Graphical User Interface
(T1061)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the GUI-based lusrmgr.msc (Local Users and Groups snap-in) (tainted by the parent "LSA Registry Key modified" alert).
[1]
|
|
|
|
|
Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information
|
Account Discovery
(T1087)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed execution of mmc.exe, the Microsoft Management Console, spawning the lusrmgr.msc (Local Users and Groups snap-in) which displays local account information. The telemetry was tainted by the parent "LSA Registry Key modified" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
|
Remote File Copy
(T1105)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed creation of updater.dll. The telemetry was tainted by the parent "Powershell process created" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)
|
Scheduled Task
(T1053)
|
|
Specific Behavior
|
|
|
|
A Specific Behavior alert called "Schtasks with create command" was generated due to a schtasks.exe process create from cmd.exe.
[1]
|
|
|
Telemetry
|
|
|
|
Telemetry within the Schtasks alert showed a process creation of schtasks.exe from cmd.exe, and would be available in a separate view.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
|
File and Directory Discovery
(T1083)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed that svchost.exe created cmd.exe, which executed dir. The telemetry was tainted by the parent \"Powershell process created\" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
|
File and Directory Discovery
(T1083)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed that svchost.exe created cmd.exe, which executed tree with command-line arguments. The telemetry was tainted by the parent \"Powershell process created\" alert.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'ps' (Process status) via Win32 APIs
|
|
|
|
|
|
Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
|
Input Capture
(T1056)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe in explorer.exe. The vendor noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan from the Command-Line Interface (CLI) view by using the Process ID (PID).
[1]
[2]
[3]
|
|
|
|
|
Cobalt Strike: Keylogging capability included residual enumeration of application windows
|
|
|
|
|
|
Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
|
Screen Capture
(T1113)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though telemetry showed a remote thread being created from cmd.exe into explorer.exe. The vendor also noted that if a user determined the process creation was suspicious, the user could manually kick off a DDNA scan. DDNA results on this process reported "This module may capture screen shots," indicating the module has the capability to perform this.
[1]
[2]
|
|
|
|
|
Cobalt Strike: Screen capture capability involved process injection into explorer.exe
|
Process Injection
(T1055)
|
|
Telemetry
|
|
|
|
Telemetry showed a remote thread being created from cmd.exe into explorer.exe, which could be indicative of process injection.
[1]
|
|
|
|
|
|
|
|
Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
|
|
|
Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
Cobalt Strike: Download capability exfiltrated data through existing C2 channel
|
|
|
|
|
|
Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
|
|
|
|
|
|
Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
|
Scheduled Task
(T1053)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed svchost.exe executing rundll32.exe, which executed updater.dll. The telemetry was tainted by the parent \"Sponsor process started V2\" alert.
[1]
|
|
|
|
|
|
|
|
RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
|
Valid Accounts
(T1078)
|
|
Telemetry
|
|
|
|
Telemetry showed that the explorer.exe process was running as the user Jesse, indicating the account exists.
[1]
|
|
|
|
|
RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism
|
Remote Desktop Protocol
(T1076)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability enriched a TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with the conditions Lateral Movement and Remote Share Access. One connection event was tainted by the parent \"Windows command prompt invoked\" alert.
[1]
|
|
|
|
|
|
|
|
Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
|
Scripting
(T1064)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed wscript.exe executing autoupdate.vbs and that wscript.exe created a powershell.exe process, including the encoded command-line arguments (tainted by the parent Script File Created alert).
[1]
[2]
|
|
|
|
|
|
|
|
Empire: C2 channel established using port 443
|
Commonly Used Port
(T1043)
|
|
Telemetry
|
|
|
|
Telemetry showed powershell.exe creating an outbound connection to 192.168.0.5 (C2 server) over TCP port 443.
[1]
|
|
|
|
|
Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
|
|
|
Empire: Encrypted C2 channel established using HTTPS
|
Standard Cryptographic Protocol
(T1032)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though telemetry showed an outbound network connection over TCP port 443 (no protocol was identified for this traffic).
[1]
|
|
|
|
|
|
|
|
Empire: 'route print' via PowerShell
|
System Network Configuration Discovery
(T1016)
|
|
Enrichment (Tainted)
|
|
|
|
The capability showed powershell.exe executing route.exe with command-line arguments and enriched the command with the conditions Reconnaissance Tool and Route Spawned with Reconnaissance. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'ipconfig -all' via PowerShell
|
System Network Configuration Discovery
(T1016)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing ipconfig.exe with command-line arguments and enriched the command with the condition Ipconfig All Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'whoami -all -fo list' via PowerShell
|
System Owner/User Discovery
(T1033)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing whoami.exe with command-line arguments and enriched the command with the condition Whoami Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'qprocess *' via PowerShell
|
Process Discovery
(T1057)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing qprocess.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net start' via PowerShell
|
System Service Discovery
(T1007)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing net.exe with command-line arguments. The telemetry was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques
|
Scripting
(T1064)
|
|
Telemetry
|
|
|
|
Telemetry showed powershell.exe connecting to the domain controller 10.0.0.4 (Creeper), which coincided with the execution of WinEnum.
[1]
|
|
|
|
|
|
|
|
Empire: WinEnum module included enumeration of user information
|
|
|
|
|
|
Empire: WinEnum module included enumeration of AD group memberships
|
Permission Groups Discovery
(T1069)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though telemetry showed powershell.exe connecting to the domain controller. This could indicate AD group information was being obtained, but this was not directly detected. The vendor indicated the capability sees the start of a PowerShell connection, but would not see additional commands after that start.
[1]
|
|
|
|
|
|
|
|
Empire: WinEnum module included enumeration of password policy information
|
|
|
|
|
|
Empire: WinEnum module included enumeration of recently opened files
|
|
|
|
|
|
Empire: WinEnum module included enumeration of interesting files
|
|
|
|
|
|
Empire: WinEnum module included enumeration of clipboard contents
|
|
|
|
|
|
Empire: WinEnum module included enumeration of system information
|
|
|
|
|
|
Empire: WinEnum module included enumeration of Windows update information
|
|
|
|
|
|
Empire: WinEnum module included enumeration of system information via a Registry query
|
|
|
|
|
|
Empire: WinEnum module included enumeration of services
|
|
|
|
|
|
Empire: WinEnum module included enumeration of available shares
|
|
|
|
|
|
Empire: WinEnum module included enumeration of mapped network drives
|
|
|
|
|
|
Empire: WinEnum module included enumeration of AV solutions
|
|
|
|
|
|
Empire: WinEnum module included enumeration of firewall rules
|
|
|
|
|
|
Empire: WinEnum module included enumeration of network adapters
|
|
|
|
|
|
Empire: WinEnum module included enumeration of established network connections
|
|
|
|
|
|
Empire: 'net group "Domain Admins" -domain' via PowerShell
|
Permission Groups Discovery
(T1069)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net�localgroup�administrators' via PowerShell
|
Permission Groups Discovery
(T1069)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net user' via PowerShell
|
Account Discovery
(T1087)
|
|
Enrichment (Tainted)
|
|
|
|
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net user -domain' via PowerShell
|
Account Discovery
(T1087)
|
|
Enrichment (Tainted)
|
|
|
|
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net group "Domain Computers" -domain' via PowerShell
|
Remote System Discovery
(T1018)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing net.exe with command-line arguments and enriched the command with the condition Net User Reconnaissance Command. The enrichment was tainted by the parent Script File Created alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'net use' via PowerShell
|
|
|
|
|
|
Empire: 'netstat -ano' via PowerShell
|
|
|
|
|
|
Empire:�'reg query' via PowerShell to enumerate a specific Registry key
|
Query Registry
(T1012)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed execution of reg.exe with command-line arguments (tainted by the parent Script File Created alert).
[1]
|
|
|
|
|
|
|
|
Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
|
Bypass User Account Control
(T1088)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though an alert called "PowerShell executed encoded commands" triggered due to svchost.exe creating powershell.exe with the -enc command-line argument.
[1]
|
|
|
|
|
Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk
|
Remote File Copy
(T1105)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
|
|
|
|
|
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP
|
Standard Application Layer Protocol
(T1071)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
|
|
|
|
|
Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080
|
Commonly Used Port
(T1043)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass (tainted by the parent "Powershell executed encoded commands" alert).
[1]
|
|
|
|
|
|
|
|
Empire: Built-in keylogging module executed to capture keystrokes of user Bob
|
|
|
Empire: Built-in keylogging module included residual enumeration of application windows
|
|
|
|
|
|
Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
|
|
|
Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda
|
Brute Force
(T1110)
|
|
Enrichment (Tainted)
|
|
|
|
The capability enriched each individual net.exe logon attempt with the condition  \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
|
|
|
|
|
Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)
|
Windows Admin Shares
(T1077)
|
|
Enrichment (Tainted)
|
|
|
|
The capability enriched individual net.exe logon attempts targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
[3]
[4]
|
|
|
|
|
|
|
|
Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick
|
Valid Accounts
(T1078)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments to connect using the valid credentials of user Kmitnick. The telemetry was tainted by the parent "Powershell executed remote commands" alert. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted.
[1]
[2]
|
|
|
|
|
Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�
|
Windows Admin Shares
(T1077)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting ADMIN$ using valid credentials for user Kmitnick. Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert).
[1]
[2]
|
|
|
|
|
Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying
|
Brute Force
(T1110)
|
|
Enrichment (Tainted)
|
|
|
|
The capability enriched a net.exe logon attempt targeting ADMIN$ with the condition \"Net User Reconnaissance Command\". The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
[2]
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry also showed explorer.exe (as the user Bob) write a PIPE on Conficker, which could indicate to an analyst that the share had been successfully mounted (tainted by the parent FileExts Registry Key modified alert).
[1]
[2]
|
|
|
|
|
|
|
|
Empire: 'net use -delete' via PowerShell
|
|
|
|
|
|
Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
|
Windows Admin Shares
(T1077)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
|
|
|
|
|
Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick
|
Valid Accounts
(T1078)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed a logon attempt via net.exe with command-line arguments targeting C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick.
[1]
|
|
|
|
|
|
|
|
Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
|
Remote File Copy
(T1105)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe creating autoupdate.vbs (tainted by parent Powershell executed remote commands alerts) .
[1]
|
|
|
|
|
|
|
|
Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�
|
Command-Line Interface
(T1059)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed svchost.exe creating cmd.exe, which ran autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert).
[1]
[2]
[3]
|
|
|
|
|
|
|
|
Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
|
Remote File Copy
(T1105)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability enriched the update.vbs creation event with the condition \"File created on hidden share (C$)\". The enrichment was tainted by parent \"Powershell executed remote commands\" alerts.
[1]
|
|
|
|
|
|
|
|
Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
|
System Service Discovery
(T1007)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing sc.exe to remotely query services on Creeper and enriched sc.exe with enriched with the condition SC Query Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands\" alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)
|
New Service
(T1050)
|
|
Specific Behavior (Configuration Change)
|
|
|
|
An alert called "Windows Service Registry Key modified" and a Specific Behavior alert called "New Windows service created" were generated due to the AdobeUpdater service being created in the Registry.
[1]
[2]
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description. The telemetry was tainted by the parent \"Powershell executed remote commands alert\".
[1]
[2]
|
|
|
|
|
Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)
|
Masquerading
(T1036)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing sc.exe to create a new service named AdobeUpdater with binPath pointed to cmd.exe with arguments to run update.vbs and suspicious service description, which could assist an analyst in determining this was not a legitimate Adobe product. The telemetry was tainted by the parent \"Powershell executed remote commands alert\".
[1]
|
|
|
|
|
|
|
|
Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
|
System Service Discovery
(T1007)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed powershell.exe executing sc.exe to query the AdobeUpdater service on Creeper and enriched sc.exe with the condition SC QC Reconnaissance Command. The enrichment was tainted by the parent \"Powershell executed remote commands alert\".
[1]
|
|
|
|
|
|
|
|
Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
|
|
|
|
|
|
Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
|
Service Execution
(T1035)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing sc.exe to start the AdobeUpdater service on Creeper. The telemetry was tainted by the parent \"Powershell executed remote commands\" alert. Telemetry from Creeper also showed services.exe creating cmd.exe, which executed the update.vbs file (showing AdobeUpdater service starting).
[1]
[2]
|
|
|
|
|
|
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
|
System Service Discovery
(T1007)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing reg.exe with command-line arguments indicating a check to see if terminal services was enabled. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
|
|
|
|
|
Empire: 'reg query' via PowerShell to enumerate a specific Registry key
|
Query Registry
(T1012)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe executing reg.exe with command-line arguments. The telemetry was tainted by the parent \"New Windows service created\" alert.
[1]
|
|
|
|
|
|
|
|
Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe
|
|
|
|
|
|
Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe
|
|
|
|
|
|
Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe
|
Accessibility Features
(T1015)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability enriched powershell.exe creating and writing magnify.exe to the system directory with the condition \"Creation of Sticky Keys File.\" The enrichment was tainted by parent \"New Windows service created\" alerts.
[1]
[2]
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry also showed a different view of the event with powershell.exe copying cmd.exe as magnify.exe in the system directory. The telemetry was tainted by parent "New Windows service created" alerts.
[1]
[2]
|
|
|
|
|
|
|
|
Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
|
|
|
|
|
Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
|
Data Staged
(T1074)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert.
[1]
|
|
|
|
|
Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
|
Data from Network Shared Drive
(T1039)
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe copying the .vsdx file from the network shared drive on Conficker to the Recycle Bin. The telemetry was tainted by the parent "Powershell executed encoded commands" alert.
[1]
|
|
|
|
|
|
|
|
Empire: File dropped to disk is a renamed copy of the WinRAR binary
|
Masquerading
(T1036)
|
|
None
|
|
|
|
No detection capability demonstrated for this procedure, though telemetry later identified recycler.exe as WinRAR during execution (no detections identified it as WinRAR upon file copy).
|
|
|
|
|
Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)
|
Remote File Copy
(T1105)
|
|
General Behavior (Configuration Change)
|
|
|
|
A General Behavior alert called "Policy Dropper Behavior" was generated based on three events occurring in the same parent process within a set time frame, a network connection (TCP Outbound to 192.168.0.5 over 443) followed by an executable file create (powershell.exe creating recycler.exe) followed by a process spawning from that executable (powershell.exe creating the recycler.exe process).
[1]
[2]
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe creating recycler.exe. The telemetry was tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts.
[1]
[2]
|
|
|
|
|
|
|
|
Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file
|
Data Compressed
(T1002)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts.
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts
|
|
|
|
|
Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file
|
Data Encrypted
(T1022)
|
|
Enrichment (Configuration Change, Tainted)
|
|
|
|
The capability showed recycler.exe creating old.rar in the Recycle Bin and enriched the data with "Data Exfiltration Archiving" due to the archive file being created. The enrichment was tainted by parent "Powershell executed encoded command" alerts.
|
|
|
Telemetry (Tainted)
|
|
|
|
Telemetry showed powershell.exe creating recycler.exe and executing the command-line arguments including the -hp flag indicating WinRAR utility execution with compression and encryption. The telemetry was tainted by parent "Powershell executed encoded commands" and "Policy Dropper Behavior" alerts
|
|
|
|
|
Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary
|
| | |
