Home > Vendor Comparison Tool
|
Need help using this tool? Try taking our tour!
Home > Vendor Comparison Tool
|
1.A.1
Standard Cryptographic Protocol (T1032)
= |
Procedure:Used RC4 stream cipher to encrypt C2 (192.168.0.5) traffic |
= |
Criteria:Evidence that the network data sent over the C2 channel is encrypted |
1.A.2
Windows Remote Management (T1028)
= |
Procedure:Established WinRM connection to remote host Scranton (10.0.1.4) |
= |
Criteria:Network connection to Scranton (10.0.1.4) over port 5985 |
Vendor A |
Vendor B |
---|---|
Technique
Alert
A Technique alert
detection (warning severity) called "WinRM Remote Execution" was generated
due to the execution of wsmprovhost.exe.[1]
|
Technique
Alert
A Technique alert
detection (red indicator) was generated for "Powershell or WinRM remoting
activity" based on wsmprovhost.exe.
|
Telemetry
placeholderTelemetry showed network
connection to a remote host over port TCP 1234.
|
Telemetry
Correlated
Telemetry showed network
connection to a remote host over port TCP 1234. The
detection was correlated to a parent alert.
|