ATT&CK® EVALUATIONS

Home > Vendor Comparison Tool

Need help using this tool? Try taking our tour!

Compare

with

Filter by

Home > Vendor Comparison Tool

Compare

with

Filter by

1.A.1

Standard Cryptographic Protocol (T1032)

=	Procedure: Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic
=	Criteria: Evidence that the network data sent over the C2 channel is encrypted

1.A.2

Windows Remote Management (T1028)

=	Procedure: Established WinRM connection to remote host Scranton (10.0.1.4)
=	Criteria: Network connection to Scranton (10.0.1.4) over port 5985

Vendor A	Vendor B
Technique Alert A Technique alert detection (warning severity) called "WinRM Remote Execution" was generated due to the execution of wsmprovhost.exe.^[1]	Technique Alert A Technique alert detection (red indicator) was generated for "Powershell or WinRM remoting activity" based on wsmprovhost.exe.
Telemetry placeholder Telemetry showed network connection to a remote host over port TCP 1234.	Telemetry Correlated Telemetry showed network connection to a remote host over port TCP 1234. The detection was correlated to a parent alert.