The 2021 ATT&CK Evaluations for Enterprise Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  RSA


RSA Overview
Vendor Configuration:  APT3


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that RSA has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018)
77  across  136 substeps
1  of  136 substeps
76  of  136 substeps
76  of  136 substeps
APT29 (2019) - - - -
Carbanak+FIN7 (2020) - - - -
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
19.B.1
Procedure:

Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Detections:
19.B.1
Procedure:

Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Detections:
12.E.1.5
Procedure:

Empire: WinEnum module included enumeration of clipboard contents

Detections:
18.B.1
Procedure:

Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Detections:
9.B.1
Procedure:

Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
18.B.1
Procedure:

Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
8.C.1
Procedure:

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Detections:
8.D.1
Procedure:

Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

Detections:
6.B.1
Procedure:

Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Detections:
11.B.1
Procedure:

Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using port 53

Detections:
6.B.1
Procedure:

Cobalt Strike: C2 channel modified to use port 80

Detections:
11.B.1
Procedure:

Empire: C2 channel established using port 443

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Detections:
1.C.1
Procedure:

Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

Detections:
11.B.1
Procedure:

Empire: Encrypted C2 channel established using HTTPS

Detections:
7.B.1
Procedure:

Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

Detections:
14.A.1
Procedure:

Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

Detections:
16.E.1
Procedure:

Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

Detections:
19.A.1
Procedure:

Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

Detections:
6.B.1
Procedure:

Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

Detections:
16.A.1
Procedure:

Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of usersKmitnick, Bob, and Frieda

Detections:
16.B.1
Procedure:

Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

Detections:
8.C.1
Procedure:

Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

Detections:
5.A.1
Procedure:

Cobalt Strike: Built-in Mimikatz credential dump capability executed

Detections:
5.A.2
Procedure:

Cobalt Strike: Built-in hash dump capability executed

Detections:
15.B.1
Procedure:

Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
3.A.1
Procedure:

Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

Detections:
14.A.1
Procedure:

Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

Detections:
3.A.1
Procedure:

Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

Detections:
5.B.1
Procedure:

Cobalt Strike: Built-in token theft capability executed to change user context to George

Detections:
17.B.1
Procedure:

Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

Detections:
17.B.2
Procedure:

Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

Detections:
19.D.1
Procedure:

Empire: 'del C:\\"$\"Recycle.bin\old.rar'

Detections:
19.D.2
Procedure:

Empire: 'del recycler.exe'

Detections:
16.C.1
Procedure:

Empire: 'net use -delete' via PowerShell

Detections:
19.A.1
Procedure:

Empire: File dropped to disk is a renamed copy of the WinRAR binary

Detections:
19.B.1
Procedure:

Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

Detections:
16.I.1
Procedure:

Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

Detections:
3.C.1
Procedure:

Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Detections:
5.A.1
Procedure:

Cobalt Strike: Credential dump capability involved process injection into lsass

Detections:
5.A.2
Procedure:

Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Detections:
8.D.1
Procedure:

Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Detections:
1.A.1
Procedure:

Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

Detections:
16.D.1
Procedure:

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Detections:
10.B.1
Procedure:

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Detections:
16.B.1
Procedure:

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Detections:
2.G.1
Procedure:

Cobalt Strike: 'net user -domain' via cmd

Detections:
2.G.2
Procedure:

Cobalt Strike: 'net user george -domain' via cmd

Detections:
12.G.2
Procedure:

Empire: 'net user -domain' via PowerShell

Detections:
7.A.1
Procedure:

Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

Detections:
12.G.1
Procedure:

Empire: 'net user' via PowerShell

Detections:
8.C.1
Procedure:

Cobalt Strike: Keylogging capability included residual enumeration of application windows

Detections:
15.A.1
Procedure:

Empire: Built-in keylogging module included residual enumeration of application windows

Detections:
8.A.1
Procedure:

Cobalt Strike: 'dir -s -b \"\\conficker\wormshare\"' via cmd

Detections:
8.A.2
Procedure:

Cobalt Strike: 'tree \"C:\Users\debbie\"' via cmd

Detections:
9.A.1
Procedure:

Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
12.E.1.4.1
Procedure:

Empire: WinEnum module included enumeration of recently opened files

Detections:
12.E.1.4.2
Procedure:

Empire: WinEnum module included enumeration of interesting files

Detections:
16.K.1
Procedure:

Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

Detections:
18.A.1
Procedure:

Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

Detections:
12.E.1.9.1
Procedure:

Empire: WinEnum module included enumeration of available shares

Detections:
12.E.1.9.2
Procedure:

Empire: WinEnum module included enumeration of mapped network drives

Detections:
12.E.1.3
Procedure:

Empire: WinEnum module included enumeration of password policy information

Detections:
2.F.2
Procedure:

Cobalt Strike: 'net localgroup administrators -domain' via cmd

Detections:
2.F.3
Procedure:

Cobalt Strike: 'net group \"Domain Admins\" -domain' via cmd

Detections:
12.E.1.2
Procedure:

Empire: WinEnum module included enumeration of AD group memberships

Detections:
12.F.1
Procedure:

Empire: 'net group \"Domain Admins\" -domain' via PowerShell

Detections:
2.F.1
Procedure:

Cobalt Strike: 'net localgroup administrators' via cmd

Detections:
12.F.2
Procedure:

Empire: 'Net Localgroup Administrators' via PowerShell

Detections:
2.C.1
Procedure:

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Detections:
2.C.2
Procedure:

Cobalt Strike: 'tasklist -v' via cmd

Detections:
3.B.1
Procedure:

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Detections:
8.B.1
Procedure:

Cobalt Strike: 'ps' (Process status) via Win32 APIs

Detections:
12.C.1
Procedure:

Empire: 'qprocess *' via PowerShell

Detections:
2.H.1
Procedure:

Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Detections:
6.A.1
Procedure:

Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

Detections:
12.E.1.7
Procedure:

Empire: WinEnum module included enumeration of system information via a Registry query

Detections:
13.C.1
Procedure:

Empire:'reg query' via PowerShell to enumerate a specific Registry key

Detections:
17.A.1
Procedure:

Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Detections:
4.A.1
Procedure:

Cobalt Strike: 'net group \"Domain Controllers\" -domain' via cmd

Detections:
4.A.2
Procedure:

Cobalt Strike: 'net group \"Domain Computers\" -domain' via cmd

Detections:
13.A.1
Procedure:

Empire: 'net group \"Domain Computers\" -domain' via PowerShell

Detections:
12.E.1.10.1
Procedure:

Empire: WinEnum module included enumeration of AV solutions

Detections:
12.E.1.10.2
Procedure:

Empire: WinEnum module included enumeration of firewall rules

Detections:
2.E.1
Procedure:

Cobalt Strike: 'systeminfo' via cmd

Detections:
2.E.2
Procedure:

Cobalt Strike: 'net config workstation' via cmd

Detections:
12.E.1.6.1
Procedure:

Empire: WinEnum module included enumeration of system information

Detections:
12.E.1.6.2
Procedure:

Empire: WinEnum module included enumeration of Windows update information

Detections:
2.A.1
Procedure:

Cobalt Strike: 'ipconfig -all' via cmd

Detections:
2.A.2
Procedure:

Cobalt Strike: 'arp -a' via cmd

Detections:
4.B.1
Procedure:

Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

Detections:
12.A.1
Procedure:

Empire: 'route print' via PowerShell

Detections:
12.A.2
Procedure:

Empire: 'ipconfig -all' via PowerShell

Detections:
12.E.1.11
Procedure:

Empire: WinEnum module included enumeration of network adapters

Detections:
4.C.1
Procedure:

Cobalt Strike: 'netstat -ano' via cmd

Detections:
12.E.1.12
Procedure:

Empire: WinEnum module included enumeration of established network connections

Detections:
13.B.1
Procedure:

Empire: 'net use' via PowerShell

Detections:
13.B.2
Procedure:

Empire: 'netstat -ano' via PowerShell

Detections:
2.B.1
Procedure:

Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

Detections:
12.B.1
Procedure:

Empire: 'whoami -all -fo list' via PowerShell

Detections:
12.E.1.1
Procedure:

Empire: WinEnum module included enumeration of user information

Detections:
20.B.1
Procedure:

Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)

Detections:
2.D.1
Procedure:

Cobalt Strike: 'sc query' via cmd

Detections:
2.D.2
Procedure:

Cobalt Strike: 'net start' via cmd

Detections:
12.D.1
Procedure:

Empire: 'net start' via PowerShell

Detections:
12.E.1.8
Procedure:

Empire: WinEnum module included enumeration of services

Detections:
16.H.1
Procedure:

Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

Detections:
16.J.1
Procedure:

Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

Detections:
17.A.1
Procedure:

Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

Detections:
16.F.1
Procedure:

Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick

Detections:
12.E.1
Procedure:

Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

Detections:
15.A.1
Procedure:

Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Detections:
11.A.1
Procedure:

Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

Detections:
1.A.1
Procedure:

Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

Detections:
7.A.1
Procedure:

Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

Detections:
7.C.1
Procedure:

Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Detections:
10.A.2
Procedure:

Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

Detections:
16.L.1
Procedure:

Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Detections:
1.A.1
Procedure:

Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Detections:
19.C.1
Procedure:

Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

Detections:
9.B.1
Procedure:

Cobalt Strike: Download capability exfiltrated data through existing C2 channel

Detections:
16.D.1
Procedure:

Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Detections:
10.B.1
Procedure:

RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Detections:
16.B.1
Procedure:

Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Detections:
16.G.1
Procedure:

Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

Detections:
6.C.1
Procedure:

Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Detections:
10.B.1
Procedure:

RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

Detections:
20.A.1
Procedure:

RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

Detections: