Home  >  Enterprise  >  Participants  >  HanSight

HanSight Overview
Vendor Configuration:  APT29


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that HanSight has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018) - - - -
APT29 (2020)
160   across  134 substeps
53  of  134 substeps
101  of  134 substeps
111  of  134 substeps
Carbanak+FIN7 (2021) - - - -
Wizard Spider and Sandworm (2022) - - - -
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
2.A.4
Procedure:

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe executing Compress-Archive

Detections:
2.A.5
Procedure:

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe creating the file draft.zip

Detections:
7.B.2
Procedure:

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria:

powershell.exe creating the file OfficeSupplies.7z

Detections:
7.B.3
Procedure:

Encrypted data from the user's Downloads directory using PowerShell

Criteria:

powershell.exe executing Compress-7Zip with the password argument used for encryption

Detections:
9.B.6
Procedure:

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Detections:
9.B.7
Procedure:

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe

Detections:
17.C.1
Procedure:

Compressed a staging directory using PowerShell

Criteria:

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

Detections:
2.A.2
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
9.B.3
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
7.A.2
Procedure:

Captured clipboard contents using PowerShell

Criteria:

powershell.exe executing Get-Clipboard

Detections:
9.B.5
Procedure:

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria:

powershell.exe creating the file working.zip

Detections:
17.B.2
Procedure:

Staged collected file into directory using PowerShell

Criteria:

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

Detections:
2.A.3
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
7.B.1
Procedure:

Read data in the user's Downloads directory using PowerShell

Criteria:

powershell.exe reading files in C:\Users\pam\Downloads\

Detections:
9.B.4
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
17.B.1
Procedure:

Read and collected a local file using PowerShell

Criteria:

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

Detections:
17.A.1
Procedure:

Dumped messages from the local Outlook inbox using PowerShell

Criteria:

outlook.exe spawning from svchost.exe or powershell.exe

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
7.A.1
Procedure:

Captured and saved screenshots using PowerShell

Criteria:

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

Detections:
3.B.4
Procedure:

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is HTTPS

Detections:
11.A.14
Procedure:

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria:

Established network channel over the HTTPS protocol

Detections:
3.B.3
Procedure:

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria:

Established network channel over port 443

Detections:
11.A.13
Procedure:

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria:

Established network channel over port 443

Detections:
3.B.5
Procedure:

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
11.A.15
Procedure:

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
1.A.4
Procedure:

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
3.A.1
Procedure:

Dropped stage 2 payload (monkey.png) to disk

Criteria:

The rcs.3aka3.doc process creating the file monkey.png

Detections:
4.A.1
Procedure:

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria:

powershell.exe creating the file SysinternalsSuite.zip

Detections:
8.B.1
Procedure:

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria:

The file python.exe created on Scranton (10.0.1.4)

Detections:
9.A.1
Procedure:

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file rar.exe

Detections:
9.A.2
Procedure:

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file sdelete64.exe

Detections:
14.B.3
Procedure:

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria:

powershell.exe downloading and/or the file write of m.exe

Detections:
1.A.3
Procedure:

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria:

Established network channel over port 1234

Detections:
18.A.1
Procedure:

Mapped a network drive to an online OneDrive account using PowerShell

Criteria:

net.exe with command-line arguments then making a network connection to a public IP over port 443

Detections:
6.A.2
Procedure:

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria:

accesschk.exe executing the CryptUnprotectedData API

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
14.B.4
Procedure:

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria:

m.exe injecting into lsass.exe to dump credentials

Detections:
16.D.2
Procedure:

Dumped the KRBTGT hash on the domain controller host NewYork (10.0.0.4) using Mimikatz (m.exe)

Criteria:

m.exe injecting into lsass.exe to dump credentials

Detections:
6.C.1
Procedure:

Dumped password hashes from the Windows Registry by injecting a malicious DLL into Lsass.exe

Criteria:

powershell.exe injecting into lsass.exe OR lsass.exe reading Registry keys under HKLM:\SAM\SAM\Domains\Account\Users\

Detections:
6.A.1
Procedure:

Read the Chrome SQL database file to extract encrypted credentials

Criteria:

accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

Detections:
6.B.1
Procedure:

Exported a local certificate to a PFX file using PowerShell

Criteria:

powershell.exe creating a certificate file exported from the system

Detections:
3.B.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powershell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
14.A.2
Procedure:

Executed elevated PowerShell payload

Criteria:

High integrity powrshell.exe spawning from control.exe (spawned from sdclt.exe)

Detections:
10.B.3
Procedure:

Manipulated the token of the PowerShell payload via the CreateProcessWithToken API

Criteria:

hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe

Detections:
4.A.3
Procedure:

Decompressed ZIP (SysinternalsSuite.zip) file using PowerShell

Criteria:

powershell.exe executing Expand-Archive

Detections:
11.A.10
Procedure:

Decoded an embedded DLL payload to disk using certutil.exe

Criteria:

certutil.exe decoding kxwn.lock

Detections:
14.B.6
Procedure:

Read and decoded Mimikatz output from a WMI class property using PowerShell

Criteria:

powershell.exe executing Get-WmiInstance

Detections:
11.A.2
Procedure:

Executed an alternate data stream (ADS) using PowerShell

Criteria:

powershell.exe executing the schemas ADS via Get-Content and IEX

Detections:
4.B.2
Procedure:

Deleted rcs.3aka3.doc on disk using SDelete

Criteria:

sdelete64.exe deleting the file rcs.3aka3.doc

Detections:
4.B.3
Procedure:

Deleted Draft.zip on disk using SDelete

Criteria:

sdelete64.exe deleting the file draft.zip

Detections:
4.B.4
Procedure:

Deleted SysinternalsSuite.zip on disk using SDelete

Criteria:

sdelete64.exe deleting the file SysinternalsSuite.zip

Detections:
9.C.1
Procedure:

Deleted rar.exe on disk using SDelete

Criteria:

sdelete64.exe deleting the file rar.exe

Detections:
9.C.2
Procedure:

Deleted working.zip (from Desktop) on disk using SDelete

Criteria:

sdelete64.exe deleting the file \Desktop\working.zip

Detections:
9.C.3
Procedure:

Deleted working.zip (from AppData directory) on disk using SDelete

Criteria:

sdelete64.exe deleting the file \AppData\Roaming\working.zip

Detections:
9.C.4
Procedure:

Deleted SDelete on disk using cmd.exe del command

Criteria:

cmd.exe deleting the file sdelete64.exe

Detections:
12.A.2
Procedure:

Modified the time attributes of the kxwn.lock persistence payload using PowerShell

Criteria:

powershell.exe modifying the creation, last access, and last write times of kxwn.lock

Detections:
6.A.3
Procedure:

Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool

Criteria:

Evidence that accesschk.exe is not the legitimate Sysinternals tool

Detections:
1.A.2
Procedure:

Used unicode right-to-left override (RTLO) character to obfuscate file name rcs.3aka3.doc (originally cod.3aka.scr)

Criteria:

Evidence of the right-to-left override character (U+202E) in the rcs.3aka.doc process OR the original filename (cod.3aka.scr)

Detections:
3.C.1
Procedure:

Modified the Registry to remove artifacts of COM hijacking

Criteria:

Deletion of of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Detections:
14.A.3
Procedure:

Modified the Registry to remove artifacts of COM hijacking using PowerShell

Criteria:

Deletion of the HKCU\Software\Classes\Folder\shell\Open\command subkey

Detections:
14.B.5
Procedure:

Encoded and wrote Mimikatz output to a WMI class property using PowerShell

Criteria:

powershell.exe executing Set-WmiInstance

Detections:
17.C.2
Procedure:

Prepended the GIF file header to a compressed staging file using PowerShell

Criteria:

powershell.exe executing Set-Content

Detections:
8.B.2
Procedure:

python.exe payload was packed with UPX

Criteria:

Evidence that the file python.exe is packed

Detections:
3.A.2
Procedure:

Embedded PowerShell payload in monkey.png using steganography

Criteria:

Evidence that a PowerShell payload was within monkey.png

Detections:
20.A.1
Procedure:

Executed Run key persistence payload on user login using RunDll32

Criteria:

rundll32.exe executing kxwn.lock

Detections:
20.B.1
Procedure:

Created Kerberos Golden Ticket using Invoke-Mimikatz

Criteria:

powershell.exe executing Invoke-Mimikatz with command-line arguments to create a golden ticket

Detections:
8.C.1
Procedure:

Logged on to remote host Scranton (10.0.1.4) using valid credentials for user Pam

Criteria:

Successful logon as user Pam on Scranton (10.0.1.4)

Detections:
16.C.2
Procedure:

Logged on to the domain controller host NewYork (10.0.0.4) using valid credentials for user MScott

Criteria:

Successful logon as user MScott on NewYork (10.0.0.4)

Detections:
11.A.3
Procedure:

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_BIOS

Detections:
2.A.1
Procedure:

Searched filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
4.C.1
Procedure:

Enumerated user's temporary directory path using PowerShell

Criteria:

powershell.exe executing $env:TEMP

Detections:
9.B.2
Procedure:

Searched filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
11.A.9
Procedure:

Checked that the payload is not inside a folder path that contains "sample" or is the length of a hash value using PowerShell

Criteria:

powershell.exe executing (Get-Item -Path ".\" -Verbose).FullName

Detections:
12.A.1
Procedure:

Enumerated the System32 directory using PowerShell

Criteria:

powershell.exe executing (gci ((gci env:windir).Value + '\system32')

Detections:
11.A.5
Procedure:

Enumerated devices/adapters to check for presence of VirtualBox driver(s) using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_PnPEntity

Detections:
4.C.9
Procedure:

Enumerated user's domain group membership via the NetUserGetGroups API

Criteria:

powershell.exe executing the NetUserGetGroups API

Detections:
4.C.11
Procedure:

Enumerated user's local group membership via the NetUserGetLocalGroups API

Criteria:

powershell.exe executing the NetUserGetLocalGroups API

Detections:
4.B.1
Procedure:

Enumerated current running processes using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
4.C.5
Procedure:

Enumerated the current process ID using PowerShell

Criteria:

powershell.exe executing $PID

Detections:
8.A.3
Procedure:

Enumerated processes on remote host Scranton (10.0.1.4) using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
11.A.8
Procedure:

Checked that processes such as procexp.exe, taskmgr.exe, or wireshark.exe are not running using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_Process

Detections:
13.D.1
Procedure:

Enumerated running processes using the CreateToolhelp32Snapshot API

Criteria:

powershell.exe executing the CreateToolhelp32Snapshot API

Detections:
14.B.2
Procedure:

Enumerated and tracked PowerShell processes using PowerShell

Criteria:

powershell.exe executing Get-Process

Detections:
12.C.1
Procedure:

Enumerated installed software via the Registry (Wow6432 Uninstall key) using PowerShell

Criteria:

powershell.exe executing a Registry query for HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Detections:
12.C.2
Procedure:

Enumerated installed software via the Registry (Uninstall key) using PowerShell

Criteria:

powershell.exe executing a Registry query for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Detections:
8.A.1
Procedure:

Enumerated remote systems using LDAP queries

Criteria:

powershell.exe making LDAP queries over port 389 to the Domain Controller (10.0.0.4)

Detections:
16.A.1
Procedure:

Enumerated the domain controller host NewYork (10.0.0.4) using LDAP queries

Criteria:

powershell.exe making LDAP queries over port 389 via functions from System.DirectoryServices.dll

Detections:
4.C.7
Procedure:

Enumerated anti-virus software using PowerShell

Criteria:

powershell.exe executing Get-WmiObject ... -Class AntiVirusProduct

Detections:
4.C.8
Procedure:

Enumerated firewall software using PowerShell

Criteria:

powershell.exe executing Get-WmiObject ... -Class FireWallProduct

Detections:
12.B.1
Procedure:

Enumerated registered AV products using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for AntiVirusProduct

Detections:
4.C.3
Procedure:

Enumerated the computer hostname using PowerShell

Criteria:

powershell.exe executing $env:COMPUTERNAME

Detections:
4.C.6
Procedure:

Enumerated the OS version using PowerShell

Criteria:

powershell.exe executing Gwmi Win32_OperatingSystem

Detections:
11.A.4
Procedure:

Enumerated computer manufacturer, model, and version information using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject gwmi queries for Win32_BIOS and Win32_ComputerSystem

Detections:
13.A.1
Procedure:

Enumerated the computer name using the GetComputerNameEx API

Criteria:

powershell.exe executing the GetComputerNameEx API

Detections:
4.C.4
Procedure:

Enumerated the current domain name using PowerShell

Criteria:

powershell.exe executing $env:USERDOMAIN

Detections:
11.A.7
Procedure:

Checked that the computer is joined to a domain using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

Detections:
13.B.1
Procedure:

Enumerated the domain name using the NetWkstaGetInfo API

Criteria:

powershell.exe executing the NetWkstaGetInfo API

Detections:
4.C.2
Procedure:

Enumerated the current username using PowerShell

Criteria:

powershell.exe executing $env:USERNAME

Detections:
11.A.6
Procedure:

Checked that the username is not related to admin or a generic value (ex: user) using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_ComputerSystem

Detections:
13.C.1
Procedure:

Enumerated the current username using the GetUserNameEx API

Criteria:

powershell.exe executing the GetUserNameEx API

Detections:
15.A.1
Procedure:

Enumerated logged on users using PowerShell

Criteria:

powershell.exe executing $env:UserName

Detections:
16.B.1
Procedure:

Enumerated the domain SID (from current user SID) using the ConvertSidToStringSid API

Criteria:

powershell.exe executing the ConvertSidToStringSid API

Detections:
11.A.3
Procedure:

Checked that the BIOS version and serial number are not associated with VirtualBox or VMware using PowerShell

Criteria:

powershell.exe executing a Get-WmiObject query for Win32_BIOS

Detections:
1.B.2
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from cmd.exe

Detections:
4.A.2
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from powershell.exe

Detections:
9.B.1
Procedure:

Spawned interactive powershell.exe

Criteria:

powershell.exe spawning from python.exe

Detections:
11.A.12
Procedure:

Executed PowerShell stager payload

Criteria:

powershell.exe spawning from from the schemas ADS (powershell.exe)

Detections:
20.A.3
Procedure:

Executed PowerShell payload from WMI event subscription persistence

Criteria:

SYSTEM-level powershell.exe spawned from the powershell.exe

Detections:
1.B.1
Procedure:

Spawned interactive cmd.exe

Criteria:

cmd.exe spawning from the rcs.3aka3.doc process

Detections:
4.C.10
Procedure:

Executed API call by reflectively loading Netapi32.dll

Criteria:

The NetUserGetGroups API function loaded into powershell.exe from Netapi32.dll

Detections:
4.C.12
Procedure:

Executed API call by reflectively loading Netapi32.dll

Criteria:

The NetUserGetLocalGroups API function loaded into powershelle.exe from Netapi32.dll

Detections:
10.B.2
Procedure:

Executed PowerShell payload via the CreateProcessWithToken API

Criteria:

hostui.exe executing the CreateProcessWithToken API

Detections:
16.B.2