Home  >  APT3  >  Results  >  GoSecure  >  Matrix


GoSecure Matrix Matrix Page Information

The ATT&CK matrix is a summary of the evaluation. The cells with dark text are the techniques in scope for the evaluation. Roll over a technique for a summary of how it was tested, including the procedure name, the step of the operational flow, and the detection types associated each procedure’s detection(s).

Detection types are defined in the legend. Within the rollover, adjoining detection types are a single detection, and whitespace separates different detections.

Example: The detection below, for the procedure WinRAR has two detections. The first detection is telemetry which was tainted. The second is a specific behavior.


Vendor Configuration    

MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE
Legend
Main Detection Categories:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment
Detection Modifiers:

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative

Matrix Summary

Greyed out techniques are out of scope for this evaluation.

Blue linked techniques are in scope for this evaluation.

Overview All Results Legacy JSON JSON Legend
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Drive-by CompromiseAppleScript.bash_profile and .bashrcAccess Token Manipulation
Step Procedure Detection
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token
5.B.1Cobalt Strike: Built-in token theft capability executed to change user context to George
2 Result(s)
Access Token ManipulationAccount ManipulationAccount Discovery
Step Procedure Detection
2.G.1Cobalt Strike: 'net user -domain' via cmd
2.G.2Cobalt Strike: 'net user george -domain' via cmd
12.G.1Empire: 'net user' via PowerShell
12.G.2Empire: 'net user -domain' via PowerShell
4 Result(s)
AppleScriptAudio CaptureAutomated ExfiltrationCommonly Used Port
Step Procedure Detection
1.C.1Cobalt Strike: C2 channel established using port 53
6.B.1Cobalt Strike: C2 channel modified to use port 80
11.B.1Empire: C2 channel established using port 443
3 Result(s)
Exploit Public-Facing ApplicationCMSTPAccessibility Features
Step Procedure Detection
17.C.1Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe,
20.A.1magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)
2 Result(s)
Accessibility FeaturesApplication Access TokenBash HistoryApplication Window DiscoveryApplication Access TokenAutomated CollectionData CompressedCommunication Through Removable Media
External Remote ServicesCommand-Line Interface
Step Procedure Detection
16.F.1Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick�
1 Result(s)
Account ManipulationAppCert DLLsBITS JobsBrute Force
Step Procedure Detection
16.A.1Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users�Kmitnick, Bob, and Frieda
1 Result(s)
Browser Bookmark DiscoveryApplication Deployment SoftwareClipboard DataData EncryptedConnection Proxy
Hardware AdditionsCompiled HTML FileAppCert DLLsAppInit DLLsBinary PaddingCloud Instance Metadata APICloud Service DashboardComponent Object Model and Distributed COMData Staged
Step Procedure Detection
18.B.1Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)
1 Result(s)
Data Transfer Size LimitsCustom Command and Control Protocol
Replication Through Removable MediaComponent Object Model and Distributed COMAppInit DLLsApplication ShimmingBypass User Account ControlCredential Dumping
Step Procedure Detection
5.A.1Cobalt Strike: Built-in Mimikatz credential dump capability executed
5.A.2Cobalt Strike: Built-in hash dump capability executed
2 Result(s)
Cloud Service DiscoveryExploitation of Remote ServicesData from Cloud Storage ObjectExfiltration Over Alternative ProtocolCustom Cryptographic Protocol
Spearphishing AttachmentControl Panel ItemsApplication ShimmingBypass User Account Control
Step Procedure Detection
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level
14.A.1Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level
2 Result(s)
CMSTPCredentials from Web BrowsersDomain Trust DiscoveryInternal SpearphishingData from Information RepositoriesExfiltration Over Command and Control Channel
Step Procedure Detection
9.B.1Cobalt Strike: Download capability exfiltrated data through existing C2 channel
1 Result(s)
Data Encoding
Step Procedure Detection
1.C.1Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding
1 Result(s)
Spearphishing LinkDynamic Data ExchangeAuthentication PackageDLL Search Order HijackingClear Command HistoryCredentials in Files
Step Procedure Detection
15.B.1Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
1 Result(s)
File and Directory Discovery
Step Procedure Detection
8.A.1Cobalt Strike: 'dir -s -b "\\conficker\wormshare"' via cmd
8.A.2Cobalt Strike: 'tree "C:\Users\debbie"' via cmd
9.A.1Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
12.E.1.4.1Empire: WinEnum module included enumeration of recently opened files
12.E.1.4.2Empire: WinEnum module included enumeration of interesting files
16.K.1Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)
18.A.1Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)
7 Result(s)
Logon ScriptsData from Local SystemExfiltration Over Other Network MediumData Obfuscation
Spearphishing via ServiceExecution through APIBITS JobsDylib HijackingCode SigningCredentials in RegistryNetwork Service ScanningPass the HashData from Network Shared Drive
Step Procedure Detection
18.B.1Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)
1 Result(s)
Exfiltration Over Physical MediumDomain Fronting
Supply Chain CompromiseExecution through Module LoadBootkitElevated Execution with PromptCompile After DeliveryExploitation for Credential AccessNetwork Share Discovery
Step Procedure Detection
12.E.1.9.1Empire: WinEnum module included enumeration of available shares
12.E.1.9.2Empire: WinEnum module included enumeration of mapped network drives
2 Result(s)
Pass the TicketData from Removable MediaScheduled TransferDomain Generation Algorithms
Trusted RelationshipExploitation for Client ExecutionBrowser ExtensionsEmondCompiled HTML FileForced AuthenticationNetwork SniffingRemote Desktop Protocol
Step Procedure Detection
6.C.1Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5),
1 Result(s)
Email CollectionTransfer Data to Cloud AccountFallback Channels
Valid AccountsGraphical User InterfaceChange Default File AssociationExploitation for Privilege EscalationComponent FirmwareHookingPassword Policy Discovery
Step Procedure Detection
12.E.1.3Empire: WinEnum module included enumeration of password policy information
1 Result(s)
Remote File Copy
Step Procedure Detection
16.G.1Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)
1 Result(s)
Input Capture
Step Procedure Detection
8.C.1Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie
1 Result(s)
Multi-Stage Channels
InstallUtilComponent FirmwareExtra Window Memory InjectionComponent Object Model HijackingInput Capture
Step Procedure Detection
15.A.1Empire: Built-in keylogging module executed to capture keystrokes of user Bob
1 Result(s)
Peripheral Device DiscoveryRemote ServicesMan in the BrowserMulti-hop Proxy
LSASS DriverComponent Object Model HijackingFile System Permissions WeaknessConnection ProxyInput PromptPermission Groups Discovery
Step Procedure Detection
2.F.1Cobalt Strike: 'net localgroup administrators' via cmd
2.F.2Cobalt Strike: 'net localgroup administrators -domain' via cmd
2.F.3Cobalt Strike: 'net group "Domain Admins" -domain' via cmd
12.E.1.2Empire: WinEnum module included enumeration of AD group memberships
12.F.1Empire: 'net group "Domain Admins" -domain' via PowerShell
12.F.2Empire: 'net�localgroup�administrators' via PowerShell
6 Result(s)
Replication Through Removable MediaScreen Capture
Step Procedure Detection
8.D.1Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie
1 Result(s)
Multiband Communication
Step Procedure Detection
6.B.1Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS
1 Result(s)
LaunchctlCreate Account
Step Procedure Detection
7.A.1Added user Jesse to Conficker (10.0.0.5) through RDP connection
1 Result(s)
HookingControl Panel ItemsKerberoastingProcess Discovery
Step Procedure Detection
2.C.1Cobalt Strike: 'ps' (Process status) via Win32 APIs
2.C.2 Cobalt Strike: 'tasklist -v' via cmd
3.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIs
8.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIs
12.C.1Empire: 'qprocess *' via PowerShell
5 Result(s)
SSH HijackingVideo CaptureMultilayer Encryption
Local Job SchedulingDLL Search Order HijackingImage File Execution Options InjectionDCShadowKeychainQuery Registry
Step Procedure Detection
2.H.1Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key
6.A.1Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)
12.E.1.7Empire: WinEnum module included enumeration of system information via a Registry query
13.C.1Empire:�'reg query' via PowerShell to enumerate a specific Registry key
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key
5 Result(s)
Shared WebrootPort Knocking
MshtaDylib HijackingLaunch DaemonDLL Search Order HijackingLLMNR/NBT-NS Poisoning and RelayRemote System Discovery
Step Procedure Detection
4.A.1Cobalt Strike: 'net group "Domain Controllers" -domain' via cmd
4.A.2Cobalt Strike: 'net group "Domain Computers" -domain' via cmd
13.A.1Empire: 'net group "Domain Computers" -domain' via PowerShell
3 Result(s)
Taint Shared ContentRemote Access Tools
PowerShellEmondNew Service
Step Procedure Detection
16.I.1Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4),
1 Result(s)
DLL Side-LoadingNetwork SniffingSecurity Software Discovery
Step Procedure Detection
12.E.1.10.1Empire: WinEnum module included enumeration of AV solutions
12.E.1.10.2Empire: WinEnum module included enumeration of firewall rules
2 Result(s)
Third-party SoftwareRemote File Copy
Step Procedure Detection
7.B.1Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)
16.E.1Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)
19.A.1Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5),
3 Result(s)
Regsvcs/RegasmExternal Remote ServicesParent PID SpoofingDeobfuscate/Decode Files or InformationPassword Filter DLLSoftware DiscoveryWeb Session CookieStandard Application Layer Protocol
Step Procedure Detection
1.C.1Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com
6.B.1Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com
11.B.1Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com
3 Result(s)
Regsvr32File System Permissions WeaknessPath InterceptionDisabling Security ToolsPrivate KeysSystem Information Discovery
Step Procedure Detection
2.E.1Cobalt Strike: 'systeminfo' via cmd
2.E.2Cobalt Strike: 'net config workstation' via cmd
12.E.1.6.1Empire: WinEnum module included enumeration of system information
12.E.1.6.2Empire: WinEnum module included enumeration of Windows update information
4 Result(s)
Windows Admin Shares
Step Procedure Detection
16.B.1Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5)�
16.D.1Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)
2 Result(s)
Standard Cryptographic Protocol
Step Procedure Detection
11.B.1Empire: Encrypted C2 channel established using HTTPS
1 Result(s)
Rundll32
Step Procedure Detection
1.A.1Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32
1 Result(s)
Hidden Files and DirectoriesPlist ModificationExecution GuardrailsSecurityd MemorySystem Network Configuration Discovery
Step Procedure Detection
2.A.1Cobalt Strike: 'ipconfig -all' via cmd
2.A.2Cobalt Strike: 'arp -a' via cmd
4.B.1Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd
12.A.1Empire: 'route print' via PowerShell
12.A.2Empire: 'ipconfig -all' via PowerShell
12.E.1.11Empire: WinEnum module included enumeration of network adapters
6 Result(s)
Windows Remote ManagementStandard Non-Application Layer Protocol
Scheduled TaskHookingPort MonitorsExploitation for Defense EvasionSteal Application Access TokenSystem Network Connections Discovery
Step Procedure Detection
4.C.1Cobalt Strike: 'netstat -ano' via cmd
12.E.1.12Empire: WinEnum module included enumeration of established network connections
13.B.1Empire: 'net use' via PowerShell
13.B.2Empire: 'netstat -ano' via PowerShell
4 Result(s)
Uncommonly Used Port
Scripting
Step Procedure Detection
1.A.1Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)
11.A.1Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)
2 Result(s)
HypervisorPowerShell ProfileExtra Window Memory InjectionSteal Web Session CookieSystem Owner/User Discovery
Step Procedure Detection
2.B.1Cobalt Strike: 'echo' via cmd to enumerate specific environment variables
12.B.1Empire: 'whoami -all -fo list' via PowerShell
12.E.1.1Empire: WinEnum module included enumeration of user information
3 Result(s)
Web Service
Service Execution
Step Procedure Detection
16.L.1Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)
1 Result(s)
Image File Execution Options InjectionProcess Injection
Step Procedure Detection
3.C.1Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe
1 Result(s)
File Deletion
Step Procedure Detection
19.D.1Empire: 'del C:\"$"Recycle.bin\old.rar'
19.D.2Empire: 'del recycler.exe'
2 Result(s)
Two-Factor Authentication InterceptionSystem Service Discovery
Step Procedure Detection
2.D.1Cobalt Strike: 'sc query' via cmd
2.D.2Cobalt Strike: 'net start' via cmd
12.D.1Empire: 'net start' via PowerShell
12.E.1.8Empire: WinEnum module included enumeration of services
16.H.1Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)
16.J.1Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services
7 Result(s)
Signed Binary Proxy ExecutionImplant Container ImageSID-History InjectionFile System Logical OffsetsSystem Time Discovery
Signed Script Proxy ExecutionKernel Modules and ExtensionsScheduled TaskFile and Directory Permissions ModificationVirtualization/Sandbox Evasion
SourceLC_LOAD_DYLIB AdditionService Registry Permissions WeaknessGatekeeper Bypass
Space after FilenameLSASS DriverSetuid and SetgidGroup Policy Modification
Third-party SoftwareLaunch AgentStartup ItemsHISTCONTROL
TrapLaunch DaemonSudo CachingHidden Files and Directories
Trusted Developer UtilitiesLaunchctlSudoHidden Users
User Execution
Step Procedure Detection
1.A.1Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)
1 Result(s)
Local Job SchedulingValid AccountsHidden Window
Windows Management InstrumentationLogin ItemWeb ShellImage File Execution Options Injection
Windows Remote ManagementLogon ScriptsIndicator Blocking
XSL Script ProcessingModify Existing ServiceIndicator Removal from Tools
Netsh Helper DLLIndicator Removal on Host
New ServiceIndirect Command Execution
Office Application StartupInstall Root Certificate
Path InterceptionInstallUtil
Plist ModificationLC_MAIN Hijacking
Port KnockingLaunchctl
Port MonitorsMasquerading
PowerShell ProfileModify Registry
Rc.commonMshta
Re-opened ApplicationsNTFS File Attributes
Redundant AccessNetwork Share Connection Removal
Step Procedure Detection
16.C.1Empire: 'net use -delete' via PowerShell
1 Result(s)
Registry Run Keys / Startup Folder
Step Procedure Detection
1.B.1Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder
10.A.1Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32
2 Result(s)
Obfuscated Files or Information
SIP and Trust Provider HijackingParent PID Spoofing
Scheduled Task
Step Procedure Detection
7.C.1Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll),
10.A.2Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32
2 Result(s)
Plist Modification
ScreensaverPort Knocking
Security Support ProviderProcess Doppelgänging
Server Software ComponentProcess Hollowing
Service Registry Permissions WeaknessProcess Injection
Setuid and SetgidRedundant Access
Shortcut ModificationRegsvcs/Regasm
Startup ItemsRegsvr32
System FirmwareRevert Cloud Instance
Systemd ServiceRootkit
Time ProvidersRundll32
TrapSIP and Trust Provider Hijacking
Valid Accounts
Step Procedure Detection
10.B.1RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse
1 Result(s)
Scripting
Web ShellSigned Binary Proxy Execution
Windows Management Instrumentation Event SubscriptionSigned Script Proxy Execution
Winlogon Helper DLLSoftware Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Unused/Unsupported Cloud Regions
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
Web Session Cookie
XSL Script Processing