The 2021 ATT&CK Evaluations for Enterprise Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Trend Micro


Trend Micro Overview
Vendor Configuration:  APT29,  Carbanak+FIN7


MITRE Engenuity does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE Engenuity.
Evaluation Summary
These are the evaluations that Trend Micro has participated in:
Evaluations Detection Count Analytic Coverage Telemetry Coverage Visibility
APT3 (2018) - - - -
APT29 (2019)
249  across  134 substeps
105  of  134 substeps
107  of  134 substeps
123  of  134 substeps
Carbanak+FIN7 (2020)
338  across  174 substeps
139  of  174 substeps
162  of  174 substeps
167  of  174 substeps
Evaluation Overview
Choose an evaluation to drill down into the procedures used to test each tactic and technique. The clipboard on each cell will allow you to view the detection results.

Tactics

Techniques

Substeps

Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
2.A.4
Procedure:

Compressed and stored files into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe executing Compress-Archive

Detections:
2.A.5
Procedure:

Staged files for exfiltration into ZIP (Draft.zip) using PowerShell

Criteria:

powershell.exe creating the file draft.zip

Detections:
7.B.2
Procedure:

Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell

Criteria:

powershell.exe creating the file OfficeSupplies.7z

Detections:
7.B.3
Procedure:

Encrypted data from the user's Downloads directory using PowerShell

Criteria:

powershell.exe executing Compress-7Zip with the password argument used for encryption

Detections:
9.B.6
Procedure:

Encrypted staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe with the -a parameter for a password to use for encryption

Detections:
9.B.7
Procedure:

Compressed staged ZIP (working.zip in AppData directory) into working.zip (on Desktop) using rar.exe

Criteria:

powershell.exe executing rar.exe

Detections:
17.C.1
Procedure:

Compressed a staging directory using PowerShell

Criteria:

powershell.exe executing the ZipFile.CreateFromDirectory .NET method

Detections:
20.B.4
Criteria:

7za.exe creates C:\Users\Public\log.7z

Detections:
2.A.2
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
9.B.3
Procedure:

Scripted search of filesystem for document and media files using PowerShell

Criteria:

powershell.exe executing (Get-)ChildItem

Detections:
7.A.2
Procedure:

Captured clipboard contents using PowerShell

Criteria:

powershell.exe executing Get-Clipboard

Detections:
9.B.5
Procedure:

Staged files for exfiltration into ZIP (working.zip in AppData directory) using PowerShell

Criteria:

powershell.exe creating the file working.zip

Detections:
17.B.2
Procedure:

Staged collected file into directory using PowerShell

Criteria:

powershell.exe creating the file \WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML

Detections:
2.A.3
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
7.B.1
Procedure:

Read data in the user's Downloads directory using PowerShell

Criteria:

powershell.exe reading files in C:\Users\pam\Downloads\

Detections:
9.B.4
Procedure:

Recursively collected files found in C:\Users\Pam\ using PowerShell

Criteria:

powershell.exe reading files in C:\Users\Pam\

Detections:
17.B.1
Procedure:

Read and collected a local file using PowerShell

Criteria:

powershell.exe reading the file MITRE-ATTACK-EVALS.HTML

Detections:
5.B.5
Tux
Criteria:

User kmitnick reads network-diagram-financial.xml via cat

Detections:
5.B.6
Tux
Criteria:

User kmitnick reads help-desk-ticket.txt via cat

Detections:
9.A.5
Criteria:

explorer.exe reads C:\Users\jsmith\AppData\Local\Temp\Klog2.txt over to 192.168.0.4

Detections:
17.A.1
Procedure:

Dumped messages from the local Outlook inbox using PowerShell

Criteria:

outlook.exe spawning from svchost.exe or powershell.exe

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
7.A.1
Procedure:

Captured and saved screenshots using PowerShell

Criteria:

powershell.exe executing the CopyFromScreen function from System.Drawing.dll

Detections:
2.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
9.A.4
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
13.B.4
Criteria:

powershell.exe executes CopyFromScreen()

Detections:
18.A.2
Criteria:

explorer.exe calls the CreateCompatibleBitmap API from Gdi32.dll

Detections:
7.A.3
Criteria:

plink.exe transmits data to 192.168.0.4 over SSH protocol

Detections:
12.A.3
Criteria:

Adb156.exe transmits data to 192.168.0.6 via MSSQL transactions

Detections:
3.B.4
Procedure:

Used HTTPS to transport C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is HTTPS

Detections:
11.A.14
Procedure:

Used HTTPS to transport C2 (192.168.0.4) traffic

Criteria:

Established network channel over the HTTPS protocol

Detections:
1.A.10
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.6
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.8
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.5
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.3
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
3.B.3
Procedure:

Established C2 channel (192.168.0.5) via PowerShell payload over TCP port 443

Criteria:

Established network channel over port 443

Detections:
11.A.13
Procedure:

Established C2 channel (192.168.0.4) via PowerShell payload over port 443

Criteria:

Established network channel over port 443

Detections:
3.B.5
Procedure:

Used HTTPS to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
11.A.15
Procedure:

Used HTTPS to encrypt C2 (192.168.0.4) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
1.A.11
Criteria:

wscript.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
8.A.3
Criteria:

Java-Update.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
14.A.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
16.A.9
Criteria:

svchost.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
17.A.6
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
20.A.4
Criteria:

rundll32.exe transmits data to 192.168.0.4 over HTTPS protocol

Detections:
1.A.4
Procedure:

Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic

Criteria:

Evidence that the network data sent over the C2 channel is encrypted

Detections:
3.A.1
Procedure:

Dropped stage 2 payload (monkey.png) to disk

Criteria:

The rcs.3aka3.doc process creating the file monkey.png

Detections:
4.A.1
Procedure:

Dropped additional tools (SysinternalsSuite.zip) to disk over C2 channel (192.168.0.5)

Criteria:

powershell.exe creating the file SysinternalsSuite.zip

Detections:
8.B.1
Procedure:

Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)

Criteria:

The file python.exe created on Scranton (10.0.1.4)

Detections:
9.A.1
Procedure:

Dropped rar.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file rar.exe

Detections:
9.A.2
Procedure:

Dropped sdelete.exe to disk on remote host Scranton (10.0.1.4)

Criteria:

python.exe creating the file sdelete64.exe

Detections:
14.B.3
Procedure:

Downloaded and dropped Mimikatz (m.exe) to disk

Criteria:

powershell.exe downloading and/or the file write of m.exe

Detections:
2.B.1
Criteria:

wscript.exe downloads screenshot__.ps1 from 192.168.0.4

Detections:
3.B.1
Criteria:

wscript.exe downloads LanCradDriver.ps1 from 192.168.0.4

Detections:
4.B.1
Criteria:

powershell.exe downloads rad353F7.ps1 from 192.168.0.4

Detections:
4.B.2
Criteria:

powershell.exe downloads smrs.exe from 192.168.0.4

Detections:
5.A.1
Criteria:

powershell.exe downloads pscp.exe from 192.168.0.4

Detections:
5.A.2
Criteria:

powershell.exe downloads psexec.py from 192.168.0.4

Detections:
5.A.3
Criteria:

powershell.exe downloads runtime from 192.168.0.4

Detections:
5.A.4
Criteria:

powershell.exe downloads plink.exe from 192.168.0.4

Detections:
5.A.5
Criteria:

powershell.exe downloads tiny.exe from 192.168.0.4

Detections:
7.A.1
Criteria:

tiny.exe downloads plink.exe from 192.168.0.4

Detections:
7.C.1
Criteria:

scp.exe downloads Java-Update.exe from 192.168.0.4

Detections:
7.C.3
Criteria:

cmd.exe downloads Java-Update.vbs from 192.168.0.4

Detections:
9.A.1
Criteria:

Java-Update.exe downloads DefenderUpgradeExec.exe from 192.168.0.4

Detections:
9.B.1
Criteria:

explorer.exe downloads infosMin48.exe from 192.168.0.4

Detections:
10.A.1
Criteria:

explorer.exe downloads tightvnc-2.8.27-gpl-setup-64bit.msi from 192.168.0.4

Detections:
10.A.2
Criteria:

explorer.exe downloads vnc-settings.reg from 192.168.0.4

Detections:
12.B.1
Criteria:

Adb156.exe downloads stager.ps1 from 192.168.0.6

Detections:
13.B.1
Criteria:

Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions

Detections:
15.A.2
Criteria:

powershell.exe downloads samcat.exe from 192.168.0.4

Detections:
15.A.3
Criteria:

powershell.exe downloads uac-samcats.ps1 from 192.168.0.4

Detections:
16.A.1
Criteria:

powershell.exe downloads paexec.exe from 192.168.0.4

Detections:
16.A.2
Criteria:

powershell.exe downloads hollow.exe from 192.168.0.4

Detections:
17.A.1
Criteria:

svchost.exe downloads srrstr.dll from 192.168.0.4 (port 443)

Detections:
19.B.3
Criteria:

powershell.exe downloads dll329.dll from 192.168.0.4

Detections:
19.B.4
Criteria:

powershell.exe downloads sdbE376.tmp from 192.168.0.4

Detections:
20.B.1
Criteria:

rundll32.exe downloads debug.exe from 192.168.0.4

Detections:
20.B.3
Criteria:

rundll32.exe downloads 7za.exe from 192.168.0.4

Detections:
1.A.3
Procedure:

Established C2 channel (192.168.0.5) via rcs.3aka3.doc payload over TCP port 1234

Criteria:

Established network channel over port 1234

Detections:
3.B.7
Criteria:

powershell.exe transmits data to 192.168.0.4 over TCP

Detections:
19.A.3
Criteria:

itadmin (10.0.1.6) is relaying RDP traffic from attacker infrastructure

Detections:
10.B.1
Criteria:

tvnserver.exe accepts a connection from 192.168.0.4 over TCP port 5900

Detections:
18.A.1
Procedure:

Mapped a network drive to an online OneDrive account using PowerShell

Criteria:

net.exe with command-line arguments then making a network connection to a public IP over port 443

Detections:
4.A.3
Criteria:

powershell.exe executes Find-LocalAdminAccess, which attempts a DCOM/RPC (port 135) connection to multiple hosts to check for access

Detections:
6.A.2
Procedure:

Executed the CryptUnprotectedData API call to decrypt Chrome passwords

Criteria:

accesschk.exe executing the CryptUnprotectedData API

Detections:
9.B.2
Criteria:

infosMin48.exe calls the VaultEnumerateItems API from vaultcli.dll

Detections:
7.A.3
Procedure:

Captured user keystrokes using the GetAsyncKeyState API

Criteria:

powershell.exe executing the GetAsyncKeyState API

Detections:
9.A.2
Criteria:

DefenderUpgradeExec.exe calls the SetWindowsHookEx API

Detections:
18.A.4
Criteria:

mstsc.exe calls APIs such as GetAsyncKeyState, GetKeyState, or GetKeyboardState

Detections:
14.B.4
Procedure:

Dumped plaintext credentials using Mimikatz (m.exe)

Criteria:

m.exe injecting into lsass.exe to dump credentials

Detections: