Home  >  Enterprise  >  Participants  >  CrowdStrike

CrowdStrike Overview
Vendor Configuration:  APT3,  APT29,  Carbanak+FIN7


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that CrowdStrike has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018)
208   across  136 substeps
71  of  136 substeps
102  of  136 substeps
105  of  136 substeps
APT29 (2019)
163   across  134 substeps
34  of  134 substeps
109  of  134 substeps
115  of  134 substeps
Carbanak+FIN7 (2020)
231   across  174 substeps
64  of  174 substeps
141  of  174 substeps
152  of  174 substeps
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
19.B.1
Procedure:

Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Detections:
19.B.1
Procedure:

Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Detections:
2.A.4
Procedure:

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe executing Compress-Archive

Detections:
2.A.5
Procedure:

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe creating the file draft.zip

Detections:
7.B.2
Procedure:

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria:

powershell.exe creating the file OfficeSupplies.7z

Detections:
7.B.3
Procedure:

Encrypted data from the user's Downloads directory using PowerShell

Criteria:

powershell.exe executing Compress-7Zip with the password argument used for encryption

Detections:
9.B.6
Procedure:

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Detections:
9.B.7
Procedure:

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe

Detections:
17.C.1
Procedure:

Compressed a staging directory using PowerShell

Criteria:

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

Detections:
20.B.4
Criteria:

7za.exe creates C:\Users\Public\log.7z

Detections:
2.A.2
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
9.B.3
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
12.E.1.5
Procedure:

Empire: WinEnum module included enumeration of clipboard contents

Detections:
7.A.2
Procedure:

Captured clipboard contents using PowerShell

Criteria:

powershell.exe executing Get-Clipboard

Detections:
9.B.5
Procedure:

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria:

powershell.exe creating the file working.zip

Detections:
17.B.2
Procedure:

Staged collected file into directory using PowerShell

Criteria:

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

Detections:
18.B.1
Procedure:

Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Detections:
2.A.3
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
7.B.1
Procedure:

Read data in the user's Downloads directory using PowerShell

Criteria:

powershell.exe reading files in C:\Users\pam\Downloads\

Detections:
9.B.4
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
17.B.1
Procedure:

Read and collected a local file using PowerShell

Criteria:

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

Detections:
5.B.5
Tux
Criteria:

User kmitnick reads network-diagram-financial.xml via cat

Detections:
5.B.6
Tux
Criteria:

User kmitnick reads help-desk-ticket.txt via cat

Detections:
9.A.5
Criteria:

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Detections:
9.B.1
Procedure:

Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
18.B.1
Procedure:

Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
17.A.1
Procedure:

Dumped messages from the local Outlook inbox using PowerShell

Criteria:

outlook.exe spawning from svchost.exe or powershell.exe

Detections:
8.C.1
Procedure:

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
8.D.1
Procedure:

Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Detections:
7.A.1
Procedure:

Captured and saved screenshots using PowerShell

Criteria:

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

Detections:
2.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
9.A.4
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
13.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
18.A.2
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
7.A.3
Criteria:

plink.exe transmits data to 192.168.0.4 over SSH protocol

Detections:
12.A.3
Criteria:

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

Detections:
6.B.1
Procedure:

Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Detections:
11.B.1
Procedure:

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

Detections:
3.B.4
Procedure:

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is HTTPS

Detections:
11.A.14
Procedure:

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria:

Established network channel over the HTTPS protocol

Detections:
1.A.10
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.2
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.6
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.8
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.5
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.3
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using port 53

Detections:
6.B.1
Procedure:

Cobalt Strike: C2 channel modified to use port 80

Detections:
11.B.1
Procedure:

Empire: C2 channel established using port 443

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Detections:
3.B.3
Procedure:

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria:

Established network channel over port 443

Detections:
11.A.13
Procedure:

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria:

Established network channel over port 443

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Detections:
11.B.1
Procedure:

Empire: Encrypted C2 channel established using HTTPS

Detections:
3.B.5
Procedure:

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
11.A.15
Procedure:

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
1.A.11
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.3
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.9
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.6
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.4
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.A.4
Procedure:

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
7.B.1
Procedure:

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

Detections:
16.E.1
Procedure:

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

Detections:
19.A.1
Procedure:

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

Detections:
3.A.1
Procedure:

Dropped stage 2 payload (monkey.png) to disk

Criteria:

The rcs.3aka3.doc process creating the file monkey.png

Detections:
4.A.1
Procedure:

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria:

powershell.exe creating the file SysinternalsSuite.zip

Detections:
8.B.1
Procedure:

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria:

The file python.exe created on Scranton (10.0.1.4)

Detections:
9.A.1
Procedure:

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file rar.exe

Detections:
9.A.2
Procedure:

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file sdelete64.exe

Detections:
14.B.3
Procedure:

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria:

powershell.exe downloading and/or the file write of m.exe

Detections:
2.B.1
Criteria:

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Detections:
3.B.1
Criteria:

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Detections:
4.B.1
Criteria:

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Detections:
4.B.2
Criteria:

powershell.exe downloads smrs.exe from 192.168.0.4

Detections:
5.A.1
Criteria:

powershell.exe downloads pscp.exe from 192.168.0.4

Detections:
5.A.2
Criteria:

powershell.exe downloads psexec.py from 192.168.0.4

Detections:
5.A.3
Criteria:

powershell.exe downloads runtime from 192.168.0.4

Detections:
5.A.4
Criteria:

powershell.exe downloads plink.exe from 192.168.0.4

Detections:
5.A.5
Criteria:

powershell.exe downloads tiny.exe from 192.168.0.4

Detections:
7.A.1
Criteria:

tiny.exe downloads plink.exe from 192.168.0.4

Detections:
7.C.1
Criteria:

scp.exe downloads Java-Update.exe from 192.168.0.4

Detections:
7.C.3
Criteria:

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Detections:
9.A.1
Criteria:

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Detections:
9.B.1
Criteria:

explorer.exe downloads infosMin48.exe from 192.168.0.4

Detections:
10.A.1
Criteria:

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Detections:
10.A.2
Criteria:

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Detections:
12.B.1
Criteria:

Adb156.exe downloads stager.ps1 from 192.168.0.6

Detections:
13.B.1
Criteria:

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Detections: