Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
---|
Query Registry
Discovery
(T1012) | 12.E.1.7 | Empire: WinEnum module included enumeration of system information via a Registry query | | None 0 | | None 0 | Telemetry showing the Get-Sysinfo function | Telemetry 10 | | None 0 | Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo Enrichment of the enumeration of system information via a Registry query as suspicious (tainted by a parent alert on wscript.exe) | Enrichment-Tainted Indicator of Compromise 32 | | None 0 | | None 0 |
13.C.1 | Empire: 'reg query' via PowerShell to enumerate a specific Registry key | Telemetry showing process tree with reg.exe and command-line arguments Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry) | Telemetry Enrichment 25 | Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Telemetry from process tree showing reg.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) OverWatch General Behavior alert indicating reg query was suspicious (tainted by previous powershell.exe detection by orange line indicating medium severity) OverWatch General Behavior alert indicating reg query was suspicious Email excerpt from the OverWatch team indicating reg query was part of additional malicious discovery activity (General Behavior) | Telemetry-Tainted General Behavior-Delayed-Tainted General Behavior-Delayed 58 | Telemetry showing reg.exe with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance Telemetry showing powershell.exe executing reg.exe with command-line arguments | Telemetry Enrichment 25 | Excerpt from the Managed Defense Report indicating reg.exe was a reconnaissance command used (General Behavior) Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry Telemetry showed powershell.exe executing reg.exe (tainted by parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution of reg.exe and command-line arguments Process tree view of suspicious sequence of exploration activities alert showing tainted relationship to reg.exe | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution of reg.exe and command-line arguments | Telemetry 10 | Telemetry showing execution of reg.exe and command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
2.H.1 | Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key | Telemetry from process tree showing reg.exe with command-line arguments Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) | Telemetry Enrichment 25 | Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (reg query not specifically shown) Telemetry showing reg with command-line arguments Email excerpt from the OverWatch team indicating reg query was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing cmd.exe executing reg with command-line arguments Telemetry within a process tree showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert) | Telemetry-Tainted 7 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing reg.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Enrichment of reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance Telemetry showing reg.exe with command-line arguments General Behavior alert showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe) General Behavior alert for rundll32.exe launching cmd.exe (executing reg) | Enrichment General Behavior Telemetry General Behavior 85 | Excerpt from the Managed Defense Report indicating the attacker queried a registry key that contains system policy configurations (Specific Behavior) Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about reg | Enrichment Specific Behavior-Delayed 72 | Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery). Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility Process tree within trace detection containing cmd.exe executing the reg.exe (tainted by a parent alert on Resume Viewer.exe) | Telemetry-Tainted Enrichment Enrichment 37 | Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query command) Telemetry showing execution sequence for reg.exe with command-line arguments | Telemetry-Tainted 7 | Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry) Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment 22 | Telemetry showing reg.exe with command-line arguments | Telemetry 10 | Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
17.A.1 | Empire: 'reg query' via PowerShell to enumerate a specific Registry key | Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) Telemetry from process tree showing reg.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert) | Telemetry-Tainted 7 | Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted 7 | Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry) Event tree view showing tainted powershell.exe with reg.exe child process | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | Telemetry showing reg.exe with command-line arguments Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance General Behavior alert showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe) | Telemetry Enrichment General Behavior 55 | Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery) | Enrichment 15 | Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry | Telemetry-Tainted Enrichment 22 | Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query Telemetry showing reg.exe executing with command-line arguments | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing reg with command-line arguments to check if terminal services were enabled. (tainted by a parent alert on cmd.exe) Enrichment of reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery). Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing reg.exe execution | Telemetry 10 | Threat story graph showing telemetry of reg.exe executing (tainted by prior lateral movement alert by Group ID) | Telemetry-Tainted 7 |
6.A.1 | Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5) | Telemetry from process tree showing reg.exe with command-line arguments Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) | Telemetry Enrichment 25 | Telemetry showing PIPEs created (tainted by the parent \"Powershell process created\" alert) Telemetry showing reg.exe with command-line arguments (tainted by the parent \"Powershell process created\" alert) | Telemetry-Tainted 7 | Telemetry showing reg with command-line arguments OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection by orange line indicating medium severity) | Telemetry-Tainted General Behavior-Delayed-Tainted 31 | Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert) | Telemetry-Tainted 7 | Telemetry showing reg with command-line arguments Event tree view of telemetry showing reg with command-line arguments (tainted by parent Process Injection alert) | Telemetry-Tainted 7 | Enrichment of reg.exe identifying that a sensitive Registry key was accessed which could be used for recon Telemetry showing reg.exe with command-line arguments | Enrichment Telemetry 25 | Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery) File Write To Named Pipe alert for write to remote named pipe from reg.exe Additional details on named pipe alert Excerpt from the Managed Defense Report with additional details about reg query Excerpt from Managed Defense Report of the reg command executing a remote registry query (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing cmd.exe executing reg.exe with command-line arguments (tainted by a trace detection on cmd.exe) Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility General Behavior alert indicating that reg.exe command-line arguments contains signs of malicious usage | Telemetry-Tainted Enrichment General Behavior-Delayed 49 | Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure message in screenshot not relevant to tested functionality) Telemetry showing execution sequence for reg.exe with command-line arguments | Telemetry-Tainted 7 | Enrichment of the execution of reg.exe as querying a remote key (tainted by a parent process injection alert on cmd.exe) Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry) Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing reg.exe with command-line arguments | Telemetry 10 | Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Command-Line Interface
Execution
(T1059) | 2.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.A.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.D.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.D.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.E.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.E.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.F.1 | Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick | Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface) Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick | Telemetry Enrichment 25 | Telemetry showing wscript.exe execute autoupate.vbs and resulting powershell.exe (tainted by the parent \"Powershell executed remote commands\" alert) Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert) Telemetry showing svchost.exe creating cmd.exe and executing autoupdate.vbs as user Kmitnick | Telemetry-Tainted 7 | Telemetry showing wscript.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity) Telemetry showing cmd.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity) | Telemetry-Tainted 7 | Parent alert on Malicious PowerShell Command (Invoke-RunAs) Telemetry showing cmd.exe executing autoupdate.vbs though wscript.exe (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing cmd.exe executed as user Kmitnick (tainted by parent PowerShell alert) Enriched event tree showing enrichment of autoupdate.vbs execution with related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Enrichment showing cmd launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 28 | General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick | Telemetry General Behavior 40 | Enrichment of cmd.exe spawning wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution) Telemetry showing cmd.exe executing autoupdate.vbs | Enrichment Telemetry 25 | Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick Enrichment of wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface) | Telemetry Enrichment 25 | Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by parent PowerShell alerts) Parent alert for PowerShell script with suspicious content tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Parent alert for malicious PowerShell cmdlet tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Parent alert for PowerShell with suspicious command-line tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted 7 | Indicator of Compromise Alert identifying PowerShell Empire using the Runas functionality Enrichment of wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting). Telemetry showing cmd.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment Indicator of Compromise 42 | Telemetry showing cmd.exe and executing autoupdate.vbs as user Kmitnick | Telemetry 10 | Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.F.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.F.3 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.C.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.G.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.G.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.F.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
7.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
8.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
8.A.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.H.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
4.A.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
6.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
4.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
4.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
4.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
System Service Discovery
Discovery
(T1007) | 12.D.1 | Empire: 'net start' via PowerShell | Telemetry from process tree showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by parent Script File Created alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating net start was part of basic reconnaissance activity (General Behavior) Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Services Discovery) and Technique (Discovery) Process tree showing alerted net.exe with correct ATT&CK Technique (System Service Discovery) (tainted by a parent PowerShell alert) | General Behavior-Tainted Telemetry 37 | Telemetry showing net.exe with command-line arguments Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | Telemetry General Behavior 40 | Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) | Enrichment General Behavior-Delayed 42 | General Behavior alert was generated for net or sc command executed through PowerShell, tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe | Telemetry-Tainted Enrichment General Behavior 52 | Process tree view of \"Suspicious sequence of discovery activities\" alert context with net.exe command-line arguments Telemetry showing execution sequence of powershell.exe executing net.exe with command-line arguments General Behavior alert description for \"Suspicious sequence of discovery activities\" Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing powershell.exe executing net.exe with command-line arguments (tainted by a parent alert on wscript.exe) General Behavior alert for net.exe executing as a enumeration command called by a commonly abused causality group owner (CGO, wscript.exe) (tainted by a parent alert on wscript.exe) Enrichment of net.exe executing as the execution of an enumeration command (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted General Behavior-Tainted 46 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter) Threat story showing initial compromise alert and powershell.exe tainting net.exe | Telemetry-Tainted 7 |
17.A.1 | Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services | Telemetry from process tree showing reg.exe with command-line arguments | Telemetry 10 | Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert) | Telemetry-Tainted 7 | Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted 7 | Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry from event tree showing reg.exe Event tree view showing tainted powershell.exe with reg.exe child process | Telemetry-Tainted 7 | Telemetry showing reg.exe with command-line arguments | Telemetry 10 | Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert) | Telemetry-Tainted 7 | Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) Enrichment of powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry | Telemetry-Tainted Enrichment Enrichment 37 | Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query Telemetry showing reg.exe query for terminal server setting | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on cmd.exe) Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery). Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing reg.exe query for terminal server setting | Telemetry 10 | Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert by Group ID) | Telemetry-Tainted 7 |
16.J.1 | Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4) | Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper Enrichment of sc.exe executing query services with correct ATT&CK Technique (System Service Discovery) | Telemetry Enrichment 25 | Enrichment showing powershell.exe executing sc.exe query AdobeUpdater service on Creeper (enriched with condition SC QC Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert) | Enrichment-Tainted-Configuration Change 9 | Email excerpt sent by OverWatch team indicating they observed Bob querying for a service (Specific Behavior) Telemetry showing sc.exe execution to query the AdobeUpdater service on Creeper process tree view (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing sc.exe with command-line arguments | Telemetry General Behavior 40 | Additional details on enrichment of sc.exe with SC Execution alert Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) | Enrichment 15 | Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that the configuration of a system service was queried. | Telemetry-Tainted Enrichment 22 | Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry from CodeRed showing execution sequence of sc.exe service query for AdobeUpdater on Creeper | Telemetry-Tainted 7 | Enrichment of powershell.exe executing sc.exe as enumeration of services via the command line (tainted by a parent alert on wscript.exe) Telemetry showing powershell.exe executing sc.exe with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted 19 | Telemetry showing execution of sc.exe to query the AdobeUpdater service on 10.0.0.4 (Creeper) | Telemetry 10 | Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.D.2 | Cobalt Strike: 'net start' via cmd | Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery) Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net start not specifically shown) Telemetry showing net with command-line arguments | Telemetry-Tainted 7 | Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing net with command-line arguments | Enrichment-Tainted Telemetry 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Telemetry showing net.exe with command-line arguments General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe) General Behavior alert for rundll32.exe launching cmd.exe (executing net) | General Behavior Telemetry General Behavior 70 | Excerpt from the Managed Defense Report with additional details about net Excerpt from the Managed Defense Report indicating net was used to enumerate current running services (Specific Behavior) Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for net.exe with command-line arguments Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments | Telemetry-Tainted 7 | Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment-Tainted 19 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.D.1 | Cobalt Strike: 'sc query' via cmd | Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery) Telemetry from process tree showing sc.exe with command-line arguments | Telemetry Enrichment 25 | Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (sc query not specifically shown) Email excerpt from the OverWatch team indicating sc query was a reconnaissance command (General Behavior) Telemetry showing sc with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing cmd.exe executing sc with command-line arguments Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted Telemetry 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing sc.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | General Behavior alert showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe) | Telemetry General Behavior 40 | Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating sc was used to enumerate current running services (Specific Behavior) Excerpt from the Managed Defense Report with additional details about sc Additional details from enrichment of sc.exe | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing the sc.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing sc.exe Telemetry showing execution sequence for sc.exe with command-line arguments General Behavior alert on suspicious sequence of exploration activities | Telemetry General Behavior-Delayed 37 | Telemetry showing cmd.exe executing sc with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted 7 | Telemetry showing sc.exe with command-line arguments | Telemetry 10 | Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.E.1.8 | Empire: WinEnum module included enumeration of services | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Services function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | Telemetry of execution sequence showing Get-Service invocation | Telemetry 10 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery) | Enrichment 15 | | None 0 | | None 0 |
16.H.1 | Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4) | Enrichment of sc.exe executing to query services with correct ATT&CK Technique (System Service Discovery) Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4) Telemetry from process tree showing sc.exe execution for the service query | Telemetry Enrichment 25 | Enrichment showing powershell.exe executing sc.exe to query services on Creeper (enriched with condition SC Query Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert) | Enrichment-Tainted-Configuration Change 9 | Telemetry from process tree showing sc.exe execution to query services on Creeper (tainted from previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed Bob querying for a service on Creeper (Specific Behavior) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry of sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enrichment of sc.exe execution to query services on Creeper with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry) Telemetry showing sc.exe execution to query services on Creeper | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing sc.exe with command-line arguments | Telemetry General Behavior 40 | Additional details on enrichment of sc.exe with SC Execution alert Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) | Enrichment 15 | Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool | Telemetry-Tainted Enrichment 22 | Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry from CodeRed showing execution sequence of sc.exe service query to Creeper | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery) General Behavior alert for the sc utility be used to perform actions of remote services (tainted by a parent alert on wscript.exe) | Telemetry-Tainted General Behavior-Tainted Enrichment 49 | Telemetry showing execution of sc.exe to query services on 10.0.0.4 (Creeper) | Telemetry 10 | Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
File Permissions Modification
Defense Evasion
(T1222) | 17.B.1 | Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe | Enrichment of takeown.exe execution with tag \"Permission modifications\" Telemetry from process tree showing takeown.exe with command-line arguments | Telemetry Enrichment-Configuration Change 22 | Telemetry showing powershell.exe executing takeown.exe (tainted by the parent \"New Windows service created\" alert) | Telemetry-Tainted 7 | Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed takeown.exe executed to bypass Windows logon (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | General Behavior alert for takeown.exe performing activity related to swapping an accessibility features binary (tainted by a parent PowerShell alert) | General Behavior-Tainted Telemetry 37 | Telemetry from event tree showing takeown.exe (tainted by parent alerts on powershell.exe) | Telemetry-Tainted 7 | Telemetry showing takeown.exe with command-line arguments Specific Behavior alert for takeown.exe changing the ownership of an accessibility feature executable General Behavior alert showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe). | Telemetry Specific Behavior General Behavior 100 | Enrichment of takeown.exe with Takeown Execution alert | Enrichment 15 | Enrichment of takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted Enrichment 22 | Telemetry showing takeown.exe execution with magnify.exe in command-line arguments Process tree view of suspicious PowerShell command-line alert showing tainted relationship to takeown.exe | Telemetry-Tainted 7 | Enrichment of takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder (tainted by a parent alert on cmd.exe) Enrichment of takeown.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification). Telemetry showing powershell.exe executing takeown with command-line arguments (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing takeown.exe execution with magnify.exe in command-line arguments | Telemetry 10 | Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID) | Enrichment-Tainted 12 |
17.B.2 | Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe | Enrichment of icacls.exe execution with tag \"Permission modifications\" Telemetry from process tree showing icacls.exe with command-line arguments | Telemetry Enrichment-Configuration Change 22 | Telemetry showing powershell.exe executing icacls.exe (tainted by the parent \"New Windows service created\" alert) | Telemetry-Tainted 7 | Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed icacls.exe executed to bypass Windows logon (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing icacls.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry from event tree showing icacls.exe (tainted by parent alerts on powershell.exe) | Telemetry-Tainted 7 | Telemetry showing icacls.exe with command-line arguments Specific Behavior alert for icacls.exe changing the permissions of an accessibility feature executable General Behavior alert showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe). | Telemetry Specific Behavior General Behavior 100 | Enrichment of icacls.exe with Icacls Execution alert | Enrichment 15 | Enrichment of icacls.exe with a suspicious indicator that full access permissions were given to certain users Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted Enrichment 22 | Telemetry showing icacls.exe execution with magnify.exe in command-line arguments Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing icacls with command-line arguments (tainted by a parent alert on cmd.exe) Enrichment of icacls.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification). | Telemetry-Tainted Enrichment 22 | Telemetry showing icacls.exe execution with magnify.exe in command-line arguments | Telemetry 10 | Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Masquerading
Defense Evasion
(T1036) | 19.A.1 | Empire: File dropped to disk is a renamed copy of the WinRAR binary | Telemetry showing filemod creation of recycler.exe Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information | Telemetry 10 | | None 0 | Telemetry showing SHA256 hash of recycler.exe | Telemetry 10 | Telemetry showing recycler.exe identified as WinRAR via file metadata (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | | None 0 | | None 0 | Parent alert for PowerShell File Write showing tainting of recycler.exe telemetry Excerpt from the Managed Defense Report of the attacker placing the WinRAR utility on the system as recycler.exe (Specific Behavior) Telemetry showing MD5 hash of recycler.exe | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing the MD5/SHA256 hash value of recycler.exe | Telemetry 10 | Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH Binary reputation and metadata for recycler.exe showing WinRAR information | Telemetry 10 | Telemetry showing file create/write and hash values of recycler.exe (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | Telemetry showing file write of recycler.exe with file hashes Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID | Telemetry-Tainted 7 |
16.I.1 | Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4) | Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service | Telemetry 10 | Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell.exe detection by red line indicating high severity) Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description | Telemetry-Tainted 7 | Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry of sc.exe executions to create and set the description of a new service on Creeper (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts) | Telemetry-Tainted 7 | General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing sc.exe with command-line arguments | Telemetry General Behavior 40 | Additional details on enrichment of sc.exe with SC Execution alert Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with related correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) | Enrichment 15 | Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe) | Telemetry-Tainted 7 | Telemetry showing execution sequence of sc.exe AdobeUpdater remote service creation Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted 7 | Telemetry showed execution of sc.exe with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing execution of sc.exe to create the AdobeUpdater service and set its description | Telemetry 10 | Telemetry showing execution of sc.exe to create the AdobeUpdater service and set the description (partially shown one line above; both tainted by prior threat story) | Telemetry-Tainted 7 |
19.B.1 | Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary | Telemetry showing recycler.exe and command-line arguments with arguments indicating it is WinRAR Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process | Telemetry Specific Behavior 70 | Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts) Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) | Enrichment-Tainted-Configuration Change Telemetry-Tainted 16 | Specific Behavior alert showing recycler.exe was identified as WinRAR (tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior) Additional alert details showing recycler.exe was signed by win.rar GmbH | Specific Behavior-Tainted Telemetry Specific Behavior-Delayed 124 | Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments and creation of old.rar output (tainted by Windows Script Executing PowerShell alert) Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted 64 | Telemetry showing recycler.exe metadata, which identified it as WinRAR | Telemetry 10 | Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with related ATT&CK Techniques, T1022 - Data Encrypted and T1002 - Data Compressed) Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) General Behavior alert for Execution from Suspicious Directory General Behavior alert for File Write To Root Of Recycle Bin Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior) | General Behavior Enrichment Enrichment General Behavior Enrichment Specific Behavior-Delayed 162 | Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe) Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression indicating it is WinRAR Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown) | Telemetry-Tainted 7 | Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe) Enrichment of recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution of recycler.exe with command-line arguments indicating it is WinRAR | Telemetry 10 | Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID Enrichment showing the execution of recycler.exe with process name identified as \"Command line RAR\" | Enrichment-Tainted 12 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Service Execution
Execution
(T1035) | 16.L.1 | Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4) | Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on Creeper | Telemetry 10 | Telemetry showing powershell.exe executing sc.exe start AdobeUpdater service on Creeper (tainted by the parent \"Powershell executed remote commands\" alert) Telemetry showing AdobeUpdater service starting on Creeper (tainted by the parent \"\"New Windows service created\"\" alert) | Telemetry-Tainted 7 | Email excerpt sent by OverWatch team indicating they observed execution of update.vbs following the AdobeUpdater service start (Specific Behavior) Telemetry showing sc start in the process tree view (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing cmd.exe executing update.vbs Telemetry showing sc.exe executing the service (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Specific Behavior alert \"Service Command Lateral Movement\" for the start of AdobeUpdater service on Creeper tagged with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution) Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Delayed-Tainted Specific Behavior 76 | General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing sc.exe with command-line arguments Specific Behavior alert for sc.exe used with parameters typical for lateral movement | Telemetry Specific Behavior General Behavior 100 | Excerpt from the Managed Defense Report showing sc.exe starting the adobeupdater service (Specific Behavior) Enrichment of sc.exe with an alert for SC Execution (tagged with related ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe) Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool | Telemetry-Tainted Enrichment 22 | Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry showing service execution on Creeper and new Empire connection to www.freegoogleadsenseinfo.com (C2 domain) (C2 alert rule for BORON domain was added by the vendor earlier in Step 11) Specific Behavior alert showing successful remote AdobeUpdater service execution attempt from CodeRed to Creeper Telemetry from CodeRed showing execution sequence of sc.exe service start for AdobeUpdater on Creeper | Telemetry-Tainted Specific Behavior 67 | Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution) Telemetry showing cmd.exe executing update.vbs on 10.0.0.4 (Creeper) | Telemetry-Tainted Enrichment 22 | Telemetry showing the execution of update.vbs on 10.0.0.4 (Creeper) Telemetry showing the execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper) | Telemetry 10 | Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story) Lateral movement alert generated by the remote service start on Creeper | Telemetry-Tainted General Behavior 37 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
System Owner/User Discovery
Discovery
(T1033) | 2.B.1 | Cobalt Strike: 'echo' via cmd to enumerate specific environment variables | Telemetry from process tree showing echo with command-line arguments | Telemetry 10 | Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (echo not specifically shown) Email excerpt from the OverWatch team indicating echo was a reconnaissance command (General Behavior) Telemetry showing echo with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert) | Telemetry-Tainted 7 | Telemetry showing echo with command-line arguments (tainted by parent Malicious File Detection) General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | A General Behavior alert showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe) Telemetry showing cmd.exe executing the echo command General Behavior alert for rundll32.exe launching cmd.exe (executing the echo command) | General Behavior Telemetry General Behavior 70 | Excerpt from the Managed Defense Report with additional details about echo Excerpt from the Managed Defense Report indicating echo was used to enumerate the current username (Specific Behavior) Telemetry showing echo with command-line arguments | Telemetry Specific Behavior-Delayed 67 | Process tree within trace detection containing cmd.exe executing the echo command (tainted by a parent alert on Resume Viewer.exe) Telemetry showing cmd.exe executing the echo command Enrichment of echo command with a correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for echo with command-line arguments Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo command | Telemetry-Tainted 7 | Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing echo with command-line arguments | Telemetry 10 | Telemetry showing echo with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
20.B.1 | Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4) | Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) Telemetry from process tree with telemetry showing whoami.exe execution | Telemetry Enrichment 25 | Telemetry showing magnify.exe executing whoami.exe (tainted by the parent POS Interactive Login Event alert) | Telemetry-Tainted 7 | Telemetry from process tree showing magnify.exe child process whoami.exe (tainted by pink line indicating critical severity) | Telemetry-Tainted 7 | Specific Behavior alert for whoami.exe execution with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent Accessibility Features alert) | Specific Behavior-Tainted Telemetry 67 | Telemetry from event tree showing execution of whoami.exe (tainted by parent alert on magnify.exe) Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | Enrichment of whoami.exe with a tag identifying the command as enumeration General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe) Telemetry showing the execution of whoami | Telemetry Enrichment General Behavior 55 | Telemetry showing whoami.exe executing as a child process of magnify.exe (tainted by parent Accessibility Features Child Process alert) Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing magnify.exe (original name identified as cmd.exe) executing whoami.exe (tainted by a trace detection on magnify.exe) Specific Behavior alert for the whoami command was executed through a masqueraded tool (magnify.exe) | Telemetry-Tainted Specific Behavior 67 | Execution sequence showing whoami.exe executing from magnify.exe Process tree view of sticky keys binary hijack alert showing tainted relationship to whoami.exe | Telemetry-Tainted 7 | Telemetry showing magnify.exe executing whoami.exe Enrichment of whoami.exe executing as an enumeration command | Telemetry Enrichment 25 | Telemetry showing whoami.exe execution | Telemetry 10 | Enrichment of whoami command (displays logged on user information) | Enrichment 15 |
12.B.1 | Empire: 'whoami /all /fo list' via PowerShell | Telemetry from process tree showing whoami.exe with command-line arguments Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) | Telemetry Enrichment 25 | Enrichment of whoami.exe with condition Whoami Reconnaissance Command (tainted by parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Email excerpt from the OverWatch team indicating whoami was part of basic reconnaissance activity (General Behavior) OverWatch General Behavior alert and telemetry indicating whoami.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity) | General Behavior-Delayed-Tainted Telemetry General Behavior-Delayed 61 | Enrichment of whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent PowerShell alert) Enrichment of whoami.exe executing with labels for Reconnaissance and Accounts discovery | Enrichment-Tainted Telemetry 22 | Telemetry showing whoami.exe with command-line arguments Enriched event tree showing enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing whoami.exe with command-line arguments Enrichment of powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation | Enrichment Telemetry General Behavior 55 | Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating whoami.exe was a reconnaissance command used (General Behavior) | Enrichment General Behavior-Delayed 42 | Telemetry showing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of whoami.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence of powershell.exe executing whoami.exe with command-line arguments Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing whoami.exe with command-line arguments | Telemetry 10 | Telemetry showing whoami.exe with command-line arguments (tainted Group ID not shown but was the search parameter) Continued threat story showing initial compromise alert and powershell.exe tainting whoami.exe | Telemetry-Tainted 7 |
12.E.1.1 | Empire: WinEnum module included enumeration of user information | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Get-UserInfo function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Indicator of Compromise alert identifying suspicious PowerShell strings as Empire UserInfo | Indicator of Compromise 20 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Standard Cryptographic Protocol
Command and Control
(T1032) | 11.B.1 | Empire: Encrypted C2 channel established using HTTPS | Telemetry showing modloads and certificate check | Telemetry 10 | Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (tainted by a parent PowerShell alert) Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert) Telemetry showing connection to letsencrypt.org | Telemetry-Tainted 7 | Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S) | Specific Behavior 60 | Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior) | General Behavior-Delayed 27 | Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection) Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel Telemetry within alert showing decoded command-line arguments containing HTTPS | Telemetry-Tainted 7 | | None 0 | Telemetry showing network connections, including over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection) | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Password Policy Discovery
Discovery
(T1201) | 12.E.1.3 | Empire: WinEnum module included enumeration of password policy information | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Password Last Changed function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
System Network Configuration Discovery
Discovery
(T1016) | 12.A.2 | Empire: 'ipconfig /all' via PowerShell | Telemetry from process tree showing ipconfig.exe with command-line arguments Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery) | Telemetry Enrichment 25 | Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Email excerpt from the OverWatch team indicating ipconfig was part of basic reconnaissance activity (General Behavior) Telemetry from process tree showing ipconfig.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of ipconfig.exe executing with correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Telemetry showing ipconfig.exe with command-line arguments Event tree view of telemetry showing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts) | Telemetry-Tainted 7 | General Behavior alert showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe) Enrichment of powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration Telemetry showing ipconfig.exe with command line arguments | Enrichment Telemetry General Behavior 55 | Excerpt from the Managed Defense Report indicating ipconfig.exe was a reconnaissance command used (General Behavior) Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) | Telemetry-Tainted Enrichment 22 | Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process Telemetry showing execution sequence of powershell.exe executing ipconfig.exe with command-line arguments Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted 7 | Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery) Telemetry showing powershell.exe executing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing ipconfig.exe with command-line arguments | Telemetry 10 | Telemetry showing ipconfig.exe with command-line arguments (tainted Group ID not shown but was the search parameter) Threat story showing initial compromise alert and powershell.exe tainting ipconfig.exe | Telemetry-Tainted 7 |
4.B.1 | Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd | Telemetry from process tree showing netsh.exe with command-line arguments Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon | Telemetry Enrichment 25 | Telemetry showing netsh.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert) | Telemetry-Tainted 7 | OverWatch General Behavior alert indicating netsh execution by cmd.exe was suspicious Email excerpt from the OverWatch team indicating netsh was a reconnaissance command (General Behavior) | General Behavior-Delayed Telemetry General Behavior-Delayed 64 | Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted Telemetry 22 | Telemetry from event tree showing netsh with command-line arguments | Telemetry 10 | Telemetry showing netsh.exe with command-line arguments | Telemetry 10 | Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, and correct Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about netsh Excerpt from the Managed Defense Report indicating netsh was used to obtain network configuration and the configuration profile of the Windows Firewall (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Enrichment of netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules Process tree within trace detection showing cmd.exe executing netsh.exe (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for netsh.exe with command-line arguments Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netsh.exe command not shown) | Telemetry-Tainted 7 | Enrichment of netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery) Telemetry showing cmd.exe executing netsh with command-line arguments | Telemetry Enrichment 25 | Telemetry showing netsh.exe with command-line arguments | Telemetry 10 | Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.A.1 | Empire: 'route print' via PowerShell | Telemetry from process tree showing route.exe with command-line arguments | Telemetry 10 | Enrichment of route.exe with conditions Reconnaissance Tool and Route Spawned with Reconnaissance (tainted by the parent Script File Created alert) | Enrichment-Tainted 12 | Email excerpt from the OverWatch team indicating route print was part of basic reconnaissance activity (General Behavior) Telemetry from process tree showing route.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing route.exe executing with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing route.exe with command-line arguments Event tree view of telemetry showing route.exe with command-line arguments (tainted by parent PowerShell alerts) | Telemetry-Tainted 7 | General Behavior alert showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe) Enrichment of route.exe indicating that it could be used to print the routing table as part of reconnaissance Telemetry showing route.exe with command-line arguments | Enrichment Telemetry General Behavior 55 | Excerpt from the Managed Defense Report indicating route.exe was a reconnaissance command used (General Behavior) Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showing route.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated | Telemetry-Tainted Enrichment 22 | Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process Telemetry showing execution sequence of powershell.exe executing route.exe with command-line arguments Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing route.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing route.exe with command-line arguments | Telemetry 10 | Telemetry showing route.exe with command-line arguments (tainted Group ID not shown but was the search parameter) Continued threat story showing initial compromise alert and powershell.exe tainting route.exe Threat story showing partial tree of activity from the initial compromise alert | Telemetry-Tainted 7 |
2.A.2 | Cobalt Strike: 'arp -a' via cmd | Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery) Telemetry from process tree showing arp.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (arp not specifically shown) Telemetry showing arp with command-line arguments Email excerpt from the OverWatch team indicating arp was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing arp.exe executing within the process tree (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing arp with command-line arguments Telemetry showing cmd.exe executing arp with command-line arguments | Telemetry-Tainted 7 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing arp.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Enrichment of arp.exe indicating its usage can be a sign of reconnaissance General Behavior alert showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe) | Enrichment General Behavior 45 | Excerpt from the Managed Defense Report indicating arp.exe was used to enumerate the network configuration of Nimda (Specific Behavior) Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about arp.exe execution | Enrichment Specific Behavior-Delayed 72 | Telemetry showing cmd.exe executing arp.exe (tainted by a trace detection on Resume Viewer.exe) Enrichment of arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe General Behavior alert on suspicious sequence of exploration activities Telemetry showing execution sequence for arp.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Telemetry showing cmd.exe executing arp with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment the execution of arp.exe as possible reconnaissance (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery) Enrichment of the execution of arp.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment Enrichment-Tainted 34 | Telemetry showing arp.exe with command-line arguments | Telemetry 10 | Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.A.1 | Cobalt Strike: 'ipconfig /all' via cmd | Telemetry from process tree showing ipconfig.exe with command-line arguments Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery) | Telemetry Enrichment 25 | Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (ipconfig not specifically shown) Telemetry showing ipconfig with command-line arguments Email excerpt from the OverWatch team indicating ipconfig was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of ipconfig.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing ipconfig with command-line arguments | Enrichment-Tainted Telemetry 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Unusual Child Processes of RunDLL32 General Behavior alert caused by ipconfig.exe (tainted by parent Malicious File Detection) Telemetry showing ipconfig.exe with command-line arguments (tainted by parent Malicious File Detection) | General Behavior-Tainted Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 55 | General Behavior alert for rundll32.exe launching cmd.exe (executing ipconfig) General Behavior alert showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe) Enrichment of ipconfig.exe with a tag identifying the command as enumeration | General Behavior Enrichment General Behavior 75 | Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution Excerpt from the Managed Defense Report indicating ipconfig.exe was used to enumerate the network configuration of Nimda (Specific Behavior) Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing cmd.exe executing ipconfig.exe (tainted by a trace detection on Resume Viewer.exe) Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on suspicious sequence of discovery techniques General Behavior alert on suspicious sequence of discovery techniques Telemetry showing execution sequence for ipconfig.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery) Enrichment of the execution of ipconfig.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing cmd.exe executing ipconfig with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) General Behavior alert for a commonly abused process (cmd.exe) spawning out of rundll32.exe (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment Enrichment-Tainted General Behavior-Tainted 61 | Telemetry showing ipconfig.exe with command-line arguments | Telemetry 10 | Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.E.1.11 | Empire: WinEnum module included enumeration of network adapters | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Network Adapters function (does not count as a detection due to manual process of pulling events) | None 0 | Enrichment of powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry Enrichment 25 | | None 0 | | None 0 | Telemetry of execution sequence showing Get-NetInfo invocation | Telemetry 10 | Indicator of Compromise alert identifying suspicious PowerShell strings as Empire NetInfo | Indicator of Compromise 20 | | None 0 | Additional telemetry showing powershell.exe WMI queries for network adapter and configuration information Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
User Execution
Execution
(T1204) | 1.A.1 | Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda) | Telemetry from process tree showing Resume Viewer.exe execution sequence General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application | Telemetry General Behavior 40 | Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as malicious | General Behavior Telemetry 40 | General Behavior alert for explorer.exe executing Resume Viewer.exe, identified as a known malicious file General Behavior alert identifying Resume Viewer.exe as unknown malware Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe) | General Behavior General Behavior Telemetry-Tainted 67 | Event tree view showing Malicious File Detection General Behavior alert on Resume Viewer.exe execution Malicious File Detection General Behavior alert on Resume Viewer.exe execution and surrounding telemetry | General Behavior Telemetry-Tainted 37 | Telemetry showing the execution of Resume Viewer.exe | General Behavior Telemetry 40 | Telemetry showing Resume Viewer.exe being executed by explorer.exe General Behavior alert showing Resume Viewer.exe labeled as Malware (alert triggered after configuration change) | General Behavior-Configuration Change Telemetry 37 | Telemetry showing that Resume Viewer.exe was executed by Explorer.exe by user Debbie | Telemetry 10 | Exploit Guard audit of Resume Viewer.exe Telemetry showing execution of pdfhelper.cmd and update.dat Telemetry showing execution of decoy PDF by MicrosoftPdfReader.exe Telemetry showing Resume Viewer.exe binary and process metadata Telemetry showing Resume Viewer.exe binary reputation Telemetry showing execution of Resume Viewer.exe from explorer.exe and dropping pdfhelper.cmd and autoupdate.bat Telemetry showing write of pdfhelper.cmd Telemetry showing write of autoupdate.bat | Telemetry 10 | Telemetry showing Resume Viewer.exe running as a process | Telemetry 10 | Telemetry showing Resume Viewer.exe execution | Telemetry 10 | Telemetry from process tree showing execution of Resume Viewer.exe General Behavior alert for execution of Resume Viewer.exe as a suspicious file | Telemetry General Behavior 40 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Data from Network Shared Drive
collection
(T1039) | 18.B.1 | Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) | | None 0 | Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert) | Telemetry-Tainted 7 | | None 0 | | None 0 | | None 0 | Telemetry showing the copy of the .vsdx file from the network drive to the Recycle Bin | Telemetry 10 | | None 0 | | None 0 | Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection) | None 0 | Telemetry showing a file event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) (tainted by a parent alert on wscript.exe) Specific Behavior alert for a script engine reading files from network locations (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Specific Behavior-Tainted 64 | | None 0 | Exported telemetry of threat story (taints event) showing .vsdx file copy from network shared drive on Conficker | Telemetry-Tainted 7 |
9.B.1 | Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) | | None 0 | | None 0 | | None 0 | Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection) | None 0 | Telemetry showing .vsdx file creation, but no indication of network shared drive (does not count as a detection) | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Telemetry showing a file read event for the .vsdx file from the network shared drive | Telemetry 10 | | None 0 | Telemetry showing .vsdx file access from WormShare on the network shared drive | Telemetry 10 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Process Injection
Defense Evasion, Privilege Escalation
(T1055) | 3.C.1 | Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe | Telemetry showing CreateRemoteThread API call used for thread injection into cmd.exe Telemetry showing open handles and thread injection into cmd.exe Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection) | Telemetry Specific Behavior 70 | Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the parent \"Powershell process created\" alert) | Specific Behavior-Tainted 57 | Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity) Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as well as OverWatch General Behavior alert identifying behavior as suspicious | Specific Behavior-Tainted Telemetry General Behavior-Delayed-Tainted 91 | Specific Behavior alert for powershell.exe injecting into cmd.exe Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process Injection) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted 57 | Specific Behavior alert for process injection into cmd.exe | Specific Behavior 60 | Specific Behavior alert for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injection | Specific Behavior 60 | Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cmd.exe Excerpt from the Managed Defense Report identifying a process injection from PowerShell.exe to cmd.exe (Specific Behavior) | Specific Behavior-Delayed 57 | Specific Behavior alert for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe, tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation) | Specific Behavior 60 | Telemetry showing process injection activity audited by Exploit Guard Enrichment of powershell.exe injecting into cmd.exe Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe (subsequent powershell.exe is the injecting process) Specific Behavior alert showing powershell.exe process injection | Enrichment-Tainted Specific Behavior-Delayed 69 | Specific Behavior alert for PowerShell injecting shellcode (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Specific Behavior-Tainted 57 | Telemetry showing powershell.exe creating a remote thread into cmd.exe | Telemetry 10 | Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view) | Telemetry-Tainted 7 |
8.D.1 | Cobalt Strike: Screen capture capability involved process injection into explorer.exe | Telemetry showing \"open handle\" crossproc on explorer.exe by the process | Telemetry 10 | Telemetry showing remote thread being created into explorer.exe | Telemetry 10 | Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) | Telemetry 10 | Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection) Specific Behavior alert for process injection explorer.exe rolled into chain of injections | Specific Behavior 60 | Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious File Detection and process injection alerts and labeled with the correct ATT&CK Technique, Process Injection, and Tactics, Defense Evasion and Execution) | Specific Behavior-Tainted 57 | | None 0 | | None 0 | Specific Behavior alert for code injection into explorer.exe, tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection) Specific Behavior alert for code injection into explorer.exe (tainted by a trace detection on cmd.exe) | Specific Behavior-Tainted 57 | Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled \"Inject to process\") | Enrichment 15 | Enrichment of cmd.exe injecting into explorer.exe as code injection via CreateThread | Enrichment 15 | Floating Code module generated from DLL injection showing introspection into the module's characteristics (does not count as a detection) | None 0 | Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view) | Telemetry-Tainted 7 |
5.A.1 | Cobalt Strike: Credential dump capability involved process injection into lsass | Telemetry showing cross process events, specifically a handle to open thread into lsass.exe | Telemetry 10 | General Behavior alert showing DDNA Scan for svchost.exe General Behavior alert additional details on DDNA Scan for svchost.exe, including that it appears to inject code into another process General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process | General Behavior 30 | Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events | Enrichment 15 | Specific Behavior alert with correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation) Data within alert showing loaded powerkatz.dll as floating executable code | Specific Behavior 60 | Telemetry showing process accesses into lsass.exe | Telemetry 10 | | None 0 | | None 0 | | None 0 | Alert on credential dump showing injecting svchost.exe process (process with syringe) that was used to access lsass.exe Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality) | Telemetry-Tainted Specific Behavior-Delayed 64 | A Specific Behavior alert for a suspicious handle being opened to lsass.exe, tagged with a related ATT&CK Technique (Credential Dumping) | Specific Behavior 60 | | None 0 | | None 0 |
5.A.2 | Cobalt Strike: Hash dump capability involved process injection into lsass.exe | Specific Behavior alert showing correct ATT&CK Technique (Process Injection) Alert showing correct ATT&CK Technique (Process Injection) within process tree Telemetry showing cross process events, specifically a new thread and open handle into lsass.exe | Telemetry Specific Behavior 70 | Specific Behavior alert showing process hijacking detection for lsass.exe thread create (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts) General Behavior alert showing DDNA Scan for svchost.exe General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process | Specific Behavior-Tainted General Behavior 87 | Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events | Enrichment 15 | Specific Behavior alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection Details of Specific Behavior alert for svchost.exe process injection into lsass.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection) Data within alert showing loaded hashdumpx64.dll as floating executable code | Specific Behavior 60 | Telemetry showing process injection into lsass.exe (tainted by parent Process Injection alert) Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection) | Telemetry-Tainted Specific Behavior 67 | Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying thread injection | Enrichment 15 | | None 0 | | None 0 | Alert on prior credential dump tainting svchost.exe process (process with syringe indicating process injection) that was used to access lsass.exe Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted 7 | | None 0 | Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Remote System Discovery
Discovery
(T1018) | 13.A.1 | Empire: 'net group "Domain Computers" /domain' via PowerShell | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) Telemetry showing process tree with net.exe and command-line arguments | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net Group Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by previous powershell.exe detection by red line indicating high severity) Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior) | Telemetry-Tainted Enrichment-Tainted General Behavior-Delayed 46 | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Remote System Discovery) and Technique (Discovery) Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) | General Behavior-Tainted Telemetry 37 | Telemetry from event tree showing with net.exe with command-line arguments (tainted by parent alert) Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) (tainted by parent alert) | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | Telemetry General Behavior 40 | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) Telemetry showing execution of net.exe with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe) Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted 19 | Telemetry showing execution of net.exe and command-line arguments | Telemetry 10 | Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
4.A.1 | Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd | Enrichment of net.exe with related ATT&CK technique (Account Discovery) Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert) | Enrichment-Tainted-Configuration Change 9 | OverWatch General Behavior alert for net group Additional process tree view showing net.exe enrichment Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior) | Enrichment Telemetry General Behavior-Delayed General Behavior-Delayed 79 | Telemetry showing net.exe executing with command-line arguments General Behavior alert for net.exe executing as part of a suspicious execution chain Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) Telemetry from event tree showing net with command-line arguments | Telemetry Enrichment-Delayed 22 | Telemetry showing net.exe with command-line arguments Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance | Enrichment Telemetry 25 | Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior) Excerpt from the Managed Defense Report with additional details about net group Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for net.exe with command-line arguments Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown) | Telemetry-Tainted 7 | Telemetry showing cmd.exe executing net with command-line arguments Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 Enrichment of the execution of net.exe as the execution of an enumeration command Enrichment of cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery) | Telemetry Enrichment Enrichment Enrichment 55 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
4.A.2 | Cobalt Strike: 'net group "Domain Computers" /domain' via cmd | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with related ATT&CK technique (Account Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert) | Enrichment-Tainted-Configuration Change 9 | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) Additional process tree view showing net.exe enrichment OverWatch General Behavior alert for net group Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior) | Enrichment Telemetry General Behavior-Delayed General Behavior-Delayed 79 | Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert) Telemetry showing net.exe executing with command-line arguments General Behavior alert for net.exe executing as part of a suspicious execution chain | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net group command mapped to related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) Telemetry from event tree showing net with command-line arguments | Telemetry Enrichment-Delayed 22 | Telemetry showing net.exe with command-line arguments Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance | Enrichment Telemetry 25 | Excerpt from the Managed Defense Report with additional details about net group Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery) Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior) | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment 22 | Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown) Telemetry showing execution sequence for net.exe with command-line arguments | Telemetry-Tainted 7 | Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 Telemetry showing cmd.exe executing net with command-line arguments | Telemetry Enrichment 25 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious) Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Standard Application Layer Protocol
Command and Control
(T1071) | 6.B.1 | Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com | Telemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol) Telemetry showing modloads showing winhttp.dll loaded | Telemetry 10 | Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain) | Telemetry 10 | | None 0 | Enrichment of rundll32.exe making an unusual network connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol) (tainted by a parent Injected Shellcode alert) Enrichment of rundll32.exe showing connection over port 80 and the amount of transmitted/received bytes (tainted by a parent Injected Shellcode alert) Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted 12 | | None 0 | Telemetry showing rundll32 making HTTP connections | Telemetry 10 | Excerpt from the Managed Defense Report identifying C2 traffic communicating over HTTP to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior) Telemetry showing HTTP GET requests to 192.168.0.4 (C2 server) | Telemetry General Behavior-Delayed 37 | Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain) Telemetry showing that the winhttp.dll module was loaded into the process (PID 6276) that made the network connection | Telemetry 10 | | None 0 | Telemetry showing port 80 command and control traffic as well as the loading of winhttp.dll | Telemetry 10 | | None 0 | | None 0 |
1.C.1 | Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com | | None 0 | Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe | Telemetry 10 | Email excerpt from the OverWatch team indicating they observed suspected command and control or data exfiltration via DNS (Specific Behavior) Telemetry showing DNS requests Specific Behavior alert showing abnormally large DNS requests mapped to related ATT&CK Technique, Exfiltration Over Alternative Protocol, and Tactic, Exfiltration) and OverWatch General Behavior alert indicating that traffic was suspicious | Specific Behavior General Behavior-Delayed Telemetry Specific Behavior-Delayed 154 | Telemetry showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert) Process tree showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert) | Telemetry-Tainted 7 | Telemetry showing DNS connections Telemetry showing DNS requests from rundll32.exe (tainted by parent Malicious File Detection alert) | Telemetry-Tainted 7 | Telemetry showing rundll32 making DNS queries | Telemetry 10 | Indicator of Compromise alert for DNS lookups (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control) Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior) | Indicator of Compromise Specific Behavior-Delayed 77 | | None 0 | Telemetry showing DNS requests to the C2 domain (custom query) | Telemetry-Configuration Change 7 | | None 0 | | None 0 | Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story) | Telemetry-Tainted 7 |
14.A.1 | Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP | | None 0 | Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert) | Telemetry-Tainted 7 | Decoded PowerShell (outside of capability) showing download request over HTTP (does not count as a detection) Telemetry showing encoded PowerShell command that decodes to show HTTP traffic (does not count as a detection) | None 0 | Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080 Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted 57 | Telemetry showing decoded PowerShell with download request of wdbypass over port 8080 | Telemetry 10 | Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass | Telemetry 10 | Enrichment of HTTP GET request with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control) | Enrichment 15 | Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection) | None 0 | Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments | Telemetry-Tainted 7 | Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability) | None 0 | Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability) | None 0 | | None 0 |
11.B.1 | Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com | Telemetry showing modloads and certificate check | Telemetry 10 | Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (does not count as a detection) Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert) Telemetry showing connection to letsencrypt.org | Telemetry-Tainted 7 | An alert for PowerShell downloading a significant amount of data using HTTP(S) (does not count as a detection since it was based on port) Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain) | Telemetry 10 | Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior) | General Behavior-Delayed 27 | Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection) Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel Alert for C2 domain indicator of compromise Telemetry within alert showing decoded command-line arguments containing HTTPS | Telemetry-Tainted Indicator of Compromise-Configuration Change 24 | | None 0 | Telemetry showing network connections, including over port 443 | Telemetry 10 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection) | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Network Share Discovery
Discovery
(T1135) | 12.E.1.9.2 | Empire: WinEnum module included enumeration of mapped network drives | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Mapped Network Drives function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery) | Enrichment 15 | | None 0 | Additional telemetry showing powershell.exe WMI queries for logical disk information Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
12.E.1.9.1 | Empire: WinEnum module included enumeration of available shares | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Available Shares function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery) | Enrichment 15 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Data Encoding
Command and Control
(T1132) | 1.C.1 | Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding | | None 0 | | None 0 | Telemetry within an alert showing encoded DNS requests (tainted by parent Exfiltration alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert) Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert) | Telemetry-Tainted 7 | | None 0 | Telemetry showing rundll32 making encoded DNS queries | Telemetry 10 | Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert) | Telemetry-Tainted 7 | | None 0 | | None 0 | | None 0 | | None 0 | Telemetry showing stream of DNS requests with encoded data Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Remote Desktop Protocol
Lateral Movement
(T1076) | 20.A.1 | RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism | | None 0 | Telemetry showing connection to Creeper (10.0.0.4) on port 3389 | Telemetry 10 | Telemetry showing logon type 10 (remote interactive logon) for Kmitnick on Creeper | Telemetry 10 | Telemetry of connection to port 3389 on Creeper (10.0.0.4) Enrichment of RDP connection to Creeper (10.0.0.4) identified as using RDP Port and related ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port, Standard Application Layer Protocol) | Enrichment Telemetry 25 | Telemetry showing connection to Creeper (10.0.0.4) on port 3389 | Telemetry 10 | Enrichment of a Remote Desktop connection indicating a successful login to Remote Desktop Services. | Enrichment 15 | Enrichment of TCP port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique T10176 - Remote Desktop Protocol, and Tactic, Lateral Movement) Excerpt from the Managed Defense Report indicating Remote Desktop Protocol was used to connect to Creeper (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | | None 0 | Telemetry showing svchost.exe starting terminal service session on Creeper from CodeRed (10.0.1.5) Telemetry showing Kmitnick RDP logon from CodeRed to Creeper | Telemetry 10 | Telemetry showing an inbound connection to Creeper (10.0.0.4) on port 3389 | Telemetry 10 | | None 0 | | None 0 |
6.C.1 | Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5) | Telemetry showing rdpclip.exe running Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker) Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol) | Telemetry Enrichment 25 | Enrichment of outbound TCP port 3389 (RDP) connection with Lateral Movement and Remote Share Access (tainted by parent \"Windows command prompt invoked\" alert) Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker) | Enrichment-Tainted-Configuration Change Telemetry 19 | Telemetry showing logon type 10 (interactive remote login) as user George@shockwave on 10.0.0.5 (Conficker) Telemetry showing a network connection to 10.0.0.5 (Conficker) over TCP port 3389 Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior) | Telemetry General Behavior-Delayed 37 | Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent Injected Shellcode alert, listed as Owner process) Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker) | Telemetry-Tainted 7 | Telemetry showing Type 10 (interactive remote) login event by user George on Conficker Event tree view of telemetry showing port 3389 connection to 10.0.0.5 (Conficker) (tainted by parent Process Injection alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389 | Telemetry 10 | Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement) | Enrichment 15 | Telemetry showing a connection to 10.0.0.5 (Conficker) over TCP port 3389 Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol) | Telemetry Enrichment 25 | Graph showing movement from Debbie account to George Telemetry showing execution sequence for cmd.exe connection over RDP to 10.0.0.5 (Conficker) Telemetry showing user logon activity on 10.0.0.5 (Conficker) showing George with a logon type 10 RemoteInteractive logon event Telemetry showing execution sequence on 10.0.0.5 (Conficker) showing George logon | Telemetry 10 |
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent process injection alert on cmd.exe) General Behavior alert for an unexpected process using the RDP port (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted General Behavior-Tainted 34 | Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker) | Telemetry 10 | Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID) | Telemetry-Tainted 7 |
10.B.1 | RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism | Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol) Telemetry from process tree showing rdpclip.exe running as user Jesse | Telemetry Enrichment 25 | Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (tainted by the parent \"Windows command prompt invoked\" alert) | Enrichment-Tainted-Configuration Change 9 | Telemetry showing user logon by Jesse to Conficker with type 10 (interactive logon) Telemetry showing logged-on user activity, including the use of rdpclip.exe Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior) | Telemetry General Behavior-Delayed 37 | Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (tainted by a parent Injected Shellcode alert) Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type Telemetry showing a TCP port 3389 connection to Conficker (10.0.0.5) | Telemetry-Tainted 7 | Telemetry showing remote connections over port 3389 to 10.0.0.5 (Conficker) Telemetry showing Type 10 (interactive) logon for Jesse | Telemetry 10 | Telemetry showing a RemoteInteractive connection over port 3389 to Conficker (10.0.0.5) | Telemetry 10 | Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker Excerpt from Managed Defense Report indicating account Jesse was used to logon via Remote Desktop Protocol (Specific Behavior) Enrichment of port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement) | Enrichment Telemetry Specific Behavior-Delayed 82 | Enrichment of the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol) Telemetry showing a connection over port 3389 to Conficker (10.0.0.5) (tainted by parent alert on rundll32.exe) Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5) | Telemetry-Tainted Enrichment 22 | Telemetry showing successful port 3389 connection to Conficker (10.0.0.5) | Telemetry 10 | Enrichment of the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol) Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389 | Telemetry Enrichment 25 | | None 0 | Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID) Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Scheduled Task
Execution, Persistence, Privilege Escalation
(T1053) | 10.A.2 | Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32 | Telemetry from process tree showing updater.dll executed by rundll32.exe Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" arguments | Telemetry 10 | Telemetry showing svchost.exe executing rundll32.exe (tainted by parent \"Sponsor process started V2\" alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe executing update.dat (tainted by a parent Injected Shellcode alert) Parent alert for Injected shellcode into rundll32.exe | Telemetry-Tainted 7 | Telemetry showing rundll32.exe executing updater.dll (tainted by Malicious File Detection alert) Telemetry showing rundll32.exe executing updater.dll (tainted by Process Injection alert) | Telemetry-Tainted 7 | Telemetry showing rundll32 starting updater.dll, tainted by an "abnormal rundll32 launch" alert | Telemetry 10 | Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll32.exe (Specific Behavior) Parent Rundll32 Execution alert that tainted updater.dll telemetry (tagged with related ATT&CK Technique, T1085 - Rundll32, and Tactic, Defense Evasion, Execution; does not include specific Scheduled Task information) Telemetry showing rundll32.exe executing updater.dll | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule" | Telemetry 10 | Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" arguments | Telemetry 10 | Telemetry showing rundll32.exe executing updater.dll Telemetry showing svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule" | Telemetry 10 | Telemetry showing rundll32.exe executing updater.dll | Telemetry 10 | Telemetry showing rundll32.exe executing updater.dll Group ID query showing both autoupdate.bat and updater.dll persistence execution | Telemetry 10 |
7.C.1 | Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll) | Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task) Telemetry showing process tree containing schtasks.exe and full command a task creation | Telemetry Specific Behavior 70 | Specific Behavior alert on \"Schtasks with create command\" for schtasks.exe run from cmd.exe | Specific Behavior Telemetry 70 | Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior) Telemetry showing creation of the scheduled task General Behavior alert from OverWatch indicating scheduled task creation was suspicious (tainted by previous cmd.exe detection by orange line indicating medium severity) | Telemetry General Behavior-Delayed-Tainted Specific Behavior-Delayed 91 | Telemetry showing the Resume Viewer Update Checker scheduled task Enrichment of schtasks.exe with the correct ATT&CK Tactic (Persistence) | Enrichment Telemetry 25 | Specific Behavior alert for scheduled task creation mapped to correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert) Enriched event tree showing enrichment of scheduled task with correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry) Enrichment of scheduled task from persistence hunt | Enrichment Telemetry-Tainted Enrichment-Delayed-Tainted Specific Behavior-Tainted 88 | Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence | Telemetry 10 | Excerpt from the Managed Defense Report indicating updater.dll persisted through a scheduled task (Specific Behavior) Excerpt from the Managed Defense Report with additional details about schtask Enrichment of schtasks.exe with Scheduled Task Activity alert (tagged with correct ATT&CK Technique, T1053 - Scheduled Task, and Tactic, Execution, Persistence, Privilege Escalation) | Enrichment Specific Behavior-Delayed 72 | Specific Behavior alert for a task being created that runs an executable (via rundll32) under system rights at Windows logon, tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task) Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe (tainted by a trace detection on cmd.exe) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task | Telemetry Specific Behavior-Delayed 67 | Enrichment of schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task) Telemetry showing schtasks.exe creating the scheduled task (tainted by a parent process injection alert on cmd.exe) Specific Behavior alert for a commonly abused host process scheduling a task (tainted by a parent process injection alert on cmd.exe) Specific Behavior alert for the creation of a new scheduled task (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted Specific Behavior-Tainted Specific Behavior-Tainted Enrichment 136 | Telemetry showing the schtask.exe and command-line arguments | Telemetry 10 | Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Data Staged
collection
(T1074) | 18.B.1 | Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5) | Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct ATT&CK Technique, T1074 - Data Staged) Telemetry showing creation of the .vsdx file in the Recycle Bin | Telemetry Specific Behavior 70 | Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert) | Telemetry-Tainted 7 | Email excerpt sent by OverWatch team indicating they observed the .vsdx file being copied to Recycle Bin for staging (Specific Behavior) Telemetry showing the .vsdx being written into the Recycle Bin (event_SimpleName of OoxmlFileWritten) | Telemetry Specific Behavior-Delayed 67 | Telemetry of file create/write of vsdx (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | Telemetry showing the file creation of the .vsdx file in the Recycle Bin Event tree showing creation of the .vsdx file (tainted by parent alerts on powershell.exe) | Telemetry-Tainted 7 | Telemetry showing the copy of the .vsdx file from the network drive to the Recycle Bin Telemetry showing a file create event for the .vsdx file in the Recycle Bin | Telemetry 10 | Specific Behavior alert for File Write to Root of Recycle Bin Additional telemetry showing file write of .vsdx with PowerShell File Write alert Telemetry showing powershell.exe file write of .vsdx to the Recycle Bin with PowerShell File Write alert | Telemetry-Tainted Specific Behavior 67 | Specific Behavior alert for PowerShell creating a file in the Recycle Bin, tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged). Telemetry showing file creation in the Recycle Bin (tainted by parent alert on cmd.exe) | Telemetry-Tainted Specific Behavior 67 | Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection) | None 0 | Telemetry showing file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | Exported telemetry of threat story (taints event) showing .vsdx file copy and write | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Application Window Discovery
Discovery
(T1010) | 8.C.1 | Cobalt Strike: Keylogging capability included residual enumeration of application windows | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
15.A.1 | Empire: Built-in keylogging module included residual enumeration of application windows | | None 0 | | None 0 | Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow | Telemetry 10 | | None 0 | | None 0 | Telemetry showing powershell.exe executing the GetForegroundWindow method | Telemetry 10 | | None 0 | | None 0 | | None 0 | Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window | Telemetry Indicator of Compromise 30 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Valid Accounts
Defense Evasion, Persistence, Privilege Escalation, Initial Access
(T1078) | 16.B.1 | Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick | Telemetry showing process tree with five different net.exe logon attempts, including a success Telemetry showing successful logon via net.exe | Telemetry 10 | Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown) Telemetry from process tree showing successful net.exe connection using valid credentials of Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.) | Telemetry-Tainted General Behavior-Delayed-Tainted 31 | Enrichment of a logon attempt via net.exe using the valid credentials of user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Enrichment of successful net.exe connection (tainted by parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 28 | Telemetry showing a logon event for user Kmitnick on Conficker (10.0.0.5) Telemetry showing net.exe logon attempt | Telemetry 10 | Enrichment of net.exe logon attempt by Kmitnick with Net Use Command Execution alert Telemetry showing successful logon of user Kmitnick | Enrichment Telemetry 25 | Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe) Telemetry showing a login event on Conficker (10.0.0.5) for user Kmitnick | Telemetry-Tainted 7 | Telemetry showing 10.0.1.5 (CodeRed) system accessed resources on 10.0.0.5 (Conficker) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Telemetry showing user Kmitnick login activity on 10.0.0.5 (Conficker) Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted 7 | Enrichment of an lsass.exe event with the correct ATT&CK Technique (Valid Accounts). Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe) Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick | Telemetry 10 | Telemetry showing net.exe logon attempts, the last of which using valid credentials for user Kmitnick (tainted by relationship to threat story) Telemetry showing net.exe logon attempts and corresponding exit codes | Telemetry-Tainted 7 |
10.B.1 | RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse | Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol) Telemetry from process tree showing rdpclip.exe running as user Jesse | Telemetry Enrichment 25 | Telemetry showing explorer.exe running as Jesse | Telemetry 10 | Telemetry showing user logon by Jesse to Conficker | Telemetry 10 | Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type | Telemetry 10 | Telemetry showing userinit.exe running as Jesse (tainted by parent \"Start Folder Persistence\" alert) | Telemetry-Tainted 7 | Telemetry showing a RemoteInteractive connection as Jesse over port 3389 to Conficker (10.0.0.5) | Telemetry 10 | Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specific Behavior) Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker | Telemetry Specific Behavior-Delayed 67 | Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5) | Telemetry 10 | Telemetry showing local user account Jesse first and last seen logons on Conficker | Telemetry 10 | Telemetry showing userinit.exe as well as explorer.exe spawn as the user Jesse | Telemetry 10 | Telemetry showing \"unregmp2.exe /FirstLogon\" (associated with user logon) Telemetry showing user name \"Jesse J\" within Machine Properties | Telemetry 10 | Telemetry showing last logged on user identified as Jesse | Telemetry 10 |
16.D.1 | Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick | Telemetry showing process tree with logon using valid account credentials | Telemetry 10 | Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | Telemetry showing successful net use connection by Kmitnick in the process tree view (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted 7 | General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Enrichment of successful net.exe connection (tainted by parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 28 | Telemetry showing a logon event for user Kmitnick on Creeper (10.0.0.4) Telemetry showing net.exe with command-line arguments The capability enriching the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement | Enrichment Telemetry 25 | Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior) Enrichment of net1.exe logon attempt by Kmitnick with Net Use Command Execution alert | Enrichment Specific Behavior-Delayed 72 | Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe) | Telemetry-Tainted 7 | Telemetry from query showing successful Kmitnick logon event for Creeper Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content) | Telemetry-Tainted 7 | Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe) Telemetry showing a event for a successful login by user Kmitnick (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick | Telemetry 10 | Telemetry showing a net.exe logon attempt using valid credentials for user Kmitnick (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Brute Force
Credential Access
(T1110) | 16.B.1 | Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying | Telemetry showing process tree with five different net.exe logon attempts, including a success Enrichment of the individual net.exe logon attempts, successful logons mapped to related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) | Telemetry Enrichment-Configuration Change 22 | Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed remote commands\" alert) | Enrichment-Tainted Telemetry-Tainted 19 | Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior) OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown) Telemetry from process tree showing successful net.exe connection by Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.) | Telemetry-Tainted General Behavior-Delayed-Tainted General Behavior-Delayed 58 | Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Telemetry showing event tree with all 5 net commands associated with brute force failures and eventual success (tainted by parent PowerShell alert) Enrichment of successful net.exe connection with \"Mounting Hidden Share\" and Lateral Movement tags (tainted by parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 28 | Telemetry showing net.exe logon attempt | Telemetry Enrichment 25 | Enrichment of net.exe with Net Use Command Execution alert (tagged with related ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) Telemetry showing successful logon of user Kmitnick | Enrichment Telemetry 25 | Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe) Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility | Telemetry-Tainted Specific Behavior 67 | Specific Behavior alert for brute force attempt to remote SMB shares Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe) Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing logon attempts via net.exe and command-line arguments | Telemetry 10 | Telemetry showing net.exe logon attempts (tainted by relationship to threat story) Telemetry showing net.exe logon attempts and corresponding exit codes | Telemetry-Tainted 7 |
16.A.1 | Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda | Enrichment of the individual net.exe logon attempts with tag \"Credential Access using Admin Shares - Failed Attempts\" Telemetry showing process tree with four different net.exe logon attempts | Telemetry Enrichment-Configuration Change 22 | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) | Enrichment-Tainted 12 | Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior) Telemetry showing net.exe logon attempts Telemetry showing details for the logon attempt into the 10.0.1.4 (Morris) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure) Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity) Telemetry showing details for the logon attempt into the 10.0.1.6 (Nimda) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure) | Telemetry General Behavior-Delayed-Tainted General Behavior-Delayed 61 | Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Enrichment of each net.exe connection attempt (tainted by parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 28 | Telemetry showing net.exe logon attempts | Telemetry Enrichment 25 | Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Bob; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement) Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement) Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Frieda; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement) Excerpt from the Managed Defense Report indicating the attacker attempted to access systems using four accounts (General Behavior) Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement) Telemetry showing failed logon attempt for Kmitnick | Enrichment Telemetry-Configuration Change General Behavior-Delayed 49 | Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility Telemetry showing powershell.exe executing repeated logon attempts via net.exe (tainted by a parent alert on powershell.exe) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Specific Behavior alert for brute force attempt to remote SMB shares Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) System access history from CodeRed to Nimda and Morris Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server | Telemetry-Tainted Specific Behavior-Delayed 64 | General Behavior alert for a sensitive administrative shares mapping with unexpected parent Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local Kmitnick (tainted by a parent alert on wscript.exe) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe) | Telemetry-Tainted General Behavior 37 | Telemetry showing logon attempts via net.exe and command-line arguments | Telemetry 10 | Telemetry showing net.exe logon attempts and corresponding exit codes Telemetry showing net.exe logon attempts (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Screen Capture
Collection
(T1113) | 8.D.1 | Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie | Telemetry showing modloads and crossprocess events (does not count as a detection) | None 0 | Telemetry showing remote thread being created into explorer.exe (does not count as a detection) DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was manually initiated) | None 0 | Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection) | None 0 | Alert for explorer.exe loading a Meterpreter agent (does not count as detection) Alert showing loaded screenshotx64.dll module (does not count as a detection) | None 0 | Strings output extracted from Process Injection alert, showing BitBlt and CreateCompatibleBitmap that could be associated with screen capture, but no evidence of execution (does not count as a detection) | None 0 | | None 0 | | None 0 | | None 0 | Enrichment of explorer.exe with ScreenshotTaken | Enrichment-Configuration Change 12 | Enrichment of the execution of a specific API call using screen capture and suspicious activity | Enrichment 15 | Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection) | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Create Account
Persistence
(T1136) | 7.A.1 | Added user Jesse to Conficker (10.0.0.5) through RDP connection | Telemetry showing Registry modifications for new user Jesse Enrichment of lsass.exe with tag \"Create Accounts using GUI\" | Telemetry Enrichment-Configuration Change 22 | Child event of Specific Behavior alert showing new account added to local admins group Specific Behavior alert for \"New user account created\" and event showing account name was Jesse | Specific Behavior-Configuration Change 57 | Telemetry showing creation of the user Jesse with the user RID 000003E8 Telemetry showing user RID 000003E8 (corresponding to the user Jesse) added to the admin group (00000220), a well-known security identifier Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), which are well-known security identifiers | Telemetry 10 | Telemetry showing lsass.exe creating a Registry key for user Jesse | Telemetry 10 | | None 0 | Telemetry showing the creation of the new user Jesse | Telemetry 10 | Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior) Telemetry showing creation of user Jesse | Telemetry Specific Behavior-Delayed 67 | Telemetry showing creation of user account Jesse | Telemetry 10 | Telemetry showing creation of user account Jesse | Telemetry-Configuration Change 7 | Telemetry showing mmc.exe creating a Registry key for user Jesse Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account) | Telemetry Enrichment 25 | | None 0 | Telemetry showing creation of user account Jesse | Telemetry 10 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
System Information Discovery
Discovery
(T1082) | 2.E.2 | Cobalt Strike: 'net config workstation' via cmd | Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery) Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net config not specifically shown) Email excerpt from the OverWatch team indicating net config was a reconnaissance command (General Behavior) Telemetry showing net with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing cmd.exe executing net executing with command-line arguments Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert) | Telemetry Enrichment-Tainted 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | General Behavior alert for rundll32.exe launching cmd.exe (executing net) Enrichment of net.exe indicating it is commonly used for reconnaissance General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe) Telemetry showing net.exe with command-line arguments | General Behavior Enrichment Telemetry General Behavior 85 | Excerpt from the Managed Defense Report indicating net config was a reconnaissance command (General Behavior) Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about net | Enrichment General Behavior-Delayed 42 | Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for net.exe with command-line arguments Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments | Telemetry-Tainted 7 | Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery) | Telemetry-Tainted Enrichment Enrichment-Tainted 34 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.E.1 | Cobalt Strike: 'systeminfo' via cmd | Telemetry from process tree showing systeminfo.exe Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery) | Telemetry Enrichment 25 | Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (systeminfo not specifically shown) OverWatch General Behavior alert indicating systeminfo.exe was suspicious Email excerpt from the OverWatch team indicating systeminfo was a reconnaissance command (General Behavior) Telemetry showing systeminfo | Telemetry-Tainted General Behavior-Delayed General Behavior-Delayed 61 | Enrichment of systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing systeminfo | Enrichment-Tainted Telemetry 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing systeminfo.exe (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Enrichment of systeminfo.exe indicating it could be used for reconnaissance. General Behavior alert showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe) | Enrichment General Behavior 45 | Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about systeminfo Excerpt from the Managed Defense Report indicating systeminfo was a reconnaissance used to obtain system details (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing the systeminfo.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for systeminfo.exe Process tree view of General Behavior alert on suspicious sequence of exploration activities showing systeminfo.exe General Behavior alert on suspicious sequence of exploration activities | Telemetry General Behavior-Delayed 37 | Enrichment of cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery) Enrichment of the execution of systeminfo.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing cmd.exe executing systeminfo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment Enrichment-Tainted 34 | Telemetry showing systeminfo.exe | Telemetry 10 | Telemetry showing systeminfo.exe (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.E.1.6.1 | Empire: WinEnum module included enumeration of system information | | None 0 | | None 0 | Telemetry showing the Get-Sysinfo function | Telemetry 10 | | None 0 | Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | Telemetry of execution sequence showing Get-SysInfo invocation | Telemetry 10 | Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo | Indicator of Compromise 20 | | None 0 | Additional telemetry showing powershell.exe WMI queries for operating system information Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
12.E.1.6.2 | Empire: WinEnum module included enumeration of Windows update information | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | Telemetry of execution sequence showing Get-HotFix invocation | Telemetry 10 | | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
File and Directory Discovery
Discovery
(T1083) | 18.A.1 | Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Telemetry showing powershell.exe executing the Get-ChildItem command | Telemetry 10 | | None 0 | | None 0 | Query showing .vsdx PowerShell file search script that was executed | Telemetry 10 | Telemetry showing an event with the execution of the Get-ChildItem command (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | | None 0 |
8.A.1 | Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd | Enrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery) Telemetry from process tree showing dir with command-line arguments | Telemetry Enrichment 25 | Telemetry showing dir with command-line arguments (tainted by the parent \"Powershell process created\" alert) | Telemetry-Tainted 7 | Process tree view showing cmd.exe that ran dir (dir not specifically shown, cmd.exe is second from top and tainted by previous detection by orange line indicating medium severity) Telemetry showing cmd.exe running dir with command-line arguments (search was on commands running within the past 10 minutes) | Telemetry-Tainted 7 | Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | Enrichment of cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance. General Behavior alert showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe) General Behavior alert for rundll32.exe launching cmd.exe (executing dir) | General Behavior Enrichment General Behavior 75 | Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery) | Enrichment 15 | Telemetry showing cmd.exe executing the dir command (tainted by a trace detection on cmd.exe) Enrichment of cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence of cmd.exe executing dir with command-line arguments Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted dir (dir command not shown) | Telemetry-Tainted 7 | Enrichment of cmd.exe executing dir with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery) Telemetry showed cmd.exe executing dir with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of cmd executing dir with command-line arguments as the execution of the dir command on a network location (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing cmd.exe executing dir with command-line arguments | Telemetry 10 | Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
8.A.2 | Cobalt Strike: 'tree "C:\Users\debbie"' via cmd | Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery) Telemetry from process tree showing tree.com with command-line arguments | Telemetry Enrichment 25 | Telemetry showing tree with command-line arguments (tainted by the parent \"Powershell process created\" alert) | Telemetry-Tainted 7 | Additional details for OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity) OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity) Telemetry showing cmd.exe running tree with command-line arguments (search was on commands running within the past 10 minutes) Email excerpt from the OverWatch team indicating tree was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed-Tainted General Behavior-Delayed 58 | Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | General Behavior alert showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe) Enrichment of tree.exe with a tag identifying the command as enumeration General Behavior alert for rundll32.exe launching cmd.exe (executing tree) | General Behavior Enrichment General Behavior 75 | Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and Tactic, Discovery) Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior) Excerpt from Managed Defense Report showing additional details about tree | Enrichment Specific Behavior-Delayed 72 | Telemetry showing cmd.exe executing tree.exe (tainted by a trace detection on cmd.exe) Enrichment of tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence of cmd.exe executing tree.com with command-line arguments Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted tree (tree command not shown) | Telemetry-Tainted 7 | Enrichment of cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery) Telemetry showed cmd.exe executing tree with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment 22 | Telemetry showing cmd.exe executing tree with command-line arguments | Telemetry 10 | Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.E.1.4.2 | Empire: WinEnum module included enumeration of interesting files | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Interesting Files function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery) | Enrichment 15 | | None 0 | | None 0 |
12.E.1.4.1 | Empire: WinEnum module included enumeration of recently opened files | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Last 5 files opened function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery) | Enrichment 15 | | None 0 | | None 0 |
9.A.1 | Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5) | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.K.1 | Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4) | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Telemetry showing powershell.exe executing the type command with command-line arguments | Telemetry 10 | | None 0 | | None 0 | | None 0 | Telemetry showing a file read event for update.vbs (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | | Telemetry 10 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Credentials in Files
Credential Access
(T1081) | 15.B.1 | Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5) | | None 0 | | None 0 | Telemetry showing decoded PowerShell script containing the function Get-Keystrokes Excerpt from email sent by OverWatch team indicating keylogging activity occurred (Specific Behavior) | Telemetry Specific Behavior-Delayed 67 | | None 0 | | None 0 | Telemetry showing powershell.exe executing the Get-Content cmdlet on IT_tasks.txt | Telemetry 10 | | None 0 | | None 0 | Telemetry showing "Get-Content" cmdlet (does not count as a detection) | None 0 | Telemetry showing a file read event for IT_tasks.txt | Telemetry 10 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
PowerShell
Execution
(T1086) | 13.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.A.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
12.F.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
17.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
17.B.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.F.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
17.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.G.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.G.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.D.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.D.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
18.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.E.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
18.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.E.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
17.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.K.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
11.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.H.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.A.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
19.D.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
19.D.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.G.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
16.I.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.J.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.B.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
15.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
13.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
13.B.2 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
13.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
16.C.1 | | | Not tested 0 | | Not tested 0 | | Not tested 0 | | None 0 | | Not tested 0 | | None 0 | | None 0 | | None 0 | | Not tested 0 | | None 0 | | Not tested 0 | | Not tested 0 |
16.L.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Account Discovery
Discovery
(T1087) | 2.G.2 | Cobalt Strike: 'net user george /domain' via cmd | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with correct ATT&CK Technique (Account Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown) Telemetry showing net with command-line arguments Email excerpt from the OverWatch team indicating net user was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert) Telemetry showing net executing with command-line arguments Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) | Telemetry Enrichment-Tainted 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Enrichment of net.exe with a tag identifying the command as enumeration General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe) | Enrichment General Behavior 45 | Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior) Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about net | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller General Behavior alert on suspicious sequence of exploration activities Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments Telemetry showing execution sequence for net.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of net1.exe executing with the correct ATT&CK Technique (Account Discovery) Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment Enrichment-Tainted 34 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
12.G.1 | Empire: 'net user' via PowerShell | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted 12 | Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior) Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts) Telemetry from event tree showing net.exe with command-line arguments (tainted by parent PowerShell alert) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | General Behavior Telemetry 40 | Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used to capture information about local users (General Behavior) Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery) Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) Continued threat story showing related processes Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
12.G.2 | Empire: 'net user /domain' via PowerShell | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted 12 | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | General Behavior Telemetry 40 | Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery). | Telemetry-Tainted Enrichment 22 | Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) Specific Behavior alert showing domain user enumeration from Bob on CodeRed against Domain Controller on Creeper Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments | Telemetry-Tainted General Behavior-Delayed Specific Behavior-Delayed 91 | Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery) | Telemetry-Tainted Enrichment 22 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Threat story showing initial compromise alert and powershell.exe tainting net.exe Continued threat story showing initial compromise alert and powershell.exe tainting net.exe Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
7.A.1 | Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) | Telemetry-Tainted 7 | Telemetry showing mmc.exe running lursmgr.msc | Telemetry 10 | Telemetry showing lusrmgr.msc running from mmc.exe | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Telemetry showing mmc.exe running lursmgr.msc | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.exe | Telemetry 10 | Telemetry showing lusrmgr.msc running from mmc.exe | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Telemetry showing lusrmgr.msc running from mmc.exe Enrichment of mmc.exe as reconnaissance via the MMC utility with local users and groups view | Telemetry Enrichment 25 | | None 0 | | None 0 |
2.G.1 | Cobalt Strike: 'net user /domain' via cmd | Enrichment of net.exe with correct ATT&CK Technique (Account Discovery) Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted 12 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown) Telemetry showing net with command-line arguments | Telemetry-Tainted 7 | Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert) Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery) Telemetry showing net executing with command-line arguments | Telemetry Enrichment-Tainted 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | Enrichment of net.exe with a tag identifying the command as enumeration General Behavior alert for rundll32.exe launching cmd.exe (executing net) | General Behavior Enrichment 45 | Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior) Excerpt from the Managed Defense Report with additional details about net Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) | Telemetry-Tainted Enrichment 22 | General Behavior alert on suspicious sequence of exploration activities Telemetry showing execution sequence for net.exe with command-line arguments Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment-Tainted 19 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Rundll32
Defense Evasion, Execution
(T1085) | 1.A.1 | Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32 | Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32) | Telemetry Enrichment 25 | Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert) | Telemetry-Tainted 7 | Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. Green arrow indicates injection.) OverWatch General Behavior alert indicating rundll32 execution was suspicious | Specific Behavior General Behavior-Delayed Telemetry 97 | Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe, tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection) Telemetry within the rundll32.exe injection alert showing command-line arguments of rundll32.exe running update.dat (tainted by parent alert on explorer.exe) Specific Behavior alert for rundll32.exe launching a module from a temporary folder and injecting shellcode into a victim process (tainted by parent alert on explorer.exe) | Specific Behavior-Tainted Telemetry-Tainted Specific Behavior-Tainted 121 | Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry (tagged with correct ATT&CK Technique, T1085 - Rundll32 and Tactics, Defense Evasion, Execution; tainted by parent Malicious File Detection alert) Telemetry showing rundll32.exe running update.dat execution event Event tree view showing the Malicious File Detection alert tainting rundll32.exe telemetry | Telemetry-Tainted Specific Behavior-Tainted 64 | Telemetry showing rundll32.exe executing update.dat | General Behavior Specific Behavior Telemetry 100 | Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior) Enrichment of rundll32.exe execution (tagged with correct ATT&CK Technique, T1085 - Rundll32, and Tactics, Defense Evasion, Execution) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing cmd.exe executing update.dat via rundll32.exe Process tree within trace detection showing rundll32.exe executing (tainted by a parent alert on Resume Viewer.exe) Specific Behavior alerts based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing rundll32.exe process injection sequence General Behavior alert on low-reputation DLL load by signed executable | Telemetry General Behavior-Delayed 37 | Specific Behavior alerts for rundll32 tagged with the correct ATT&CK Technique (Rundll32) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing rundll32.exe executing update.dat (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Additional details of General Behavior alert for rundll32.exe executing update.dat General Behavior alert for rundll32.exe executing update.dat, identified as a suspicious DLL and malware (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Specific Behavior-Tainted General Behavior-Tainted 91 | Telemetry showing execution of Resume Viewer.exe | Telemetry 10 | Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
System Network Connections Discovery
Discovery
(T1049) | 12.E.1.12 | Empire: WinEnum module included enumeration of established network connections | Telemetry from process tree showing netstat.exe with command-line arguments Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery) | Telemetry Enrichment 25 | | None 0 | Telemetry from process tree showing netstat.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted 7 | Enriched alert for netstat.exe labeled with Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Event tree showing telemetry of netstat subprocess associated with WinEnum (tainted by parent PowerShell alerts) Interactive Shell events showing the WinEnum script and the Netstat Established Connections and Processes function (does not count as a detection due to manual process of pulling events) Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Tainted-Delayed 16 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior) | Enrichment General Behavior-Delayed 42 | Telemetry showing powershell.exe executing netstat.exe (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments Telemetry of execution sequence showing Get-NetInfo invocation Telemetry of execution sequence showing powershell.exe executing netstat.exe with command-line arguments Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery) | Enrichment 15 | Telemetry showing netstat.exe with command-line arguments | Telemetry 10 | Telemetry showing netstat.exe with command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
13.B.1 | Empire: 'net use' via PowerShell | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) | Enrichment Telemetry 25 | Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating net use was part of additional malicious discovery activity (General Behavior) Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Network Connections Discovery) and Technique (Discovery) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery), related ATT&CK Technique (Remote System Discovery), and correct Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for Discovery via network file share enumeration (tainted by parent alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | Telemetry General Behavior 40 | Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connections Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe) | Telemetry-Tainted 7 | Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) Telemetry showing execution of net.exe with command-line arguments Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing execution of net.exe and command-line arguments | Telemetry 10 | Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
13.B.2 | Empire: 'netstat -ano' via PowerShell | Telemetry showing process tree with netstat.exe and command-line arguments Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) | Telemetry Enrichment 25 | Telemetry showing netstat.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Telemetry from process tree showing netstat.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt from the OverWatch team indicating netstat was part of additional malicious discovery activity (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment showing netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry 22 | Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry) | Telemetry-Tainted Enrichment-Delayed-Tainted 16 | General Behavior alert showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing netstat.exe with command-line arguments | Telemetry General Behavior 40 | Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior) Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Enrichment of nestat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered Telemetry showed powershell.exe executing netstat.exe (tainted by parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific netstat.exe instance not shown) Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments Telemetry showing execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing powershell.exe executing netstat with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
4.C.1 | Cobalt Strike: 'netstat -ano' via cmd | Telemetry from process tree showing netstat.exe with command-line arguments Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery) | Telemetry Enrichment 25 | Telemetry showing netstat.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert) | Telemetry-Tainted 7 | OverWatch General Behavior alert indicating netstat execution by cmd.exe was suspicious Email excerpt from the OverWatch team indicating netstat was a reconnaissance command (General Behavior) | General Behavior-Delayed Telemetry General Behavior-Delayed 64 | Enrichment of netstat.exe executing labeled as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing netstat with command-line arguments | Enrichment-Tainted Telemetry 22 | Additional UI view of telemetry (showing the netstat command in this instance) Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) Telemetry from event tree showing netstat with command-line arguments | Telemetry Enrichment-Delayed 22 | Enrichment of netstat.exe with a tag identifying the command as enumeration | Enrichment 15 | Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about netstat Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Enrichment of netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered Process tree within trace detection showing cmd.exe executing netstat.exe (tainted by a parent alert on cmd.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing execution sequence for netstat.exe with command-line arguments Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netstat.exe command not shown) | Telemetry-Tainted 7 | Enrichment of netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery) Telemetry showing cmd.exe executing netstat with command-line arguments | Telemetry Enrichment 25 | Telemetry showing netstat.exe with command-line arguments | Telemetry 10 | Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Bypass User Account Control
Defense Evasion, Privilege Escalation
(T1088) | 3.A.1 | Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level | | None 0 | Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection) Alert for PowerShell process creation (does not count as a detection) | None 0 | Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High) | Telemetry 10 | Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert) Telemetry showing powershell.exe running as medium integrity as user Debbie | Telemetry-Tainted 7 | Telemetry showing authentication (logon) ID mismatch between parent and child processes | Telemetry 10 | Enrichment of an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass. | Enrichment 15 | Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0xfcf5fd Telemetry showing group membership of token logon ID 0xfcf5fd, associated with user Debbie, which includes S-1-16-12288 (High Mandatory Level) | Telemetry-Configuration Change 7 | Specific Behavior alert for a possible UAC bypass, tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation) | Specific Behavior 60 | Telemetry showing powershell.exe running as high integrity as SYSTEM Telemetry showing rundll32.exe running as medium integrity as user Debbie Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe | Telemetry-Tainted 7 | Telemetry showing process integrity level change from parent rundll32.exe (medium) to child powershell.exe (high), both running as user Debbie | Telemetry 10 | Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection) | None 0 | | Telemetry 10 |
14.A.1 | Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level | | None 0 | Alert for encoded PowerShell (does not count as a detection) | None 0 | Telemetry showing the Invoke-BypassUACTokenManipulation function Email excerpt from the OverWatch team indicating obfuscated PowerShell invoked UAC bypass (Specific Behavior) Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000) | Telemetry Specific Behavior-Delayed 67 | Telemetry showing powershell.exe executing with medium process integrity (tainted by a parent PowerShell alert) Telemetry showing powershell.exe executing with high process integrity (tainted by a parent PowerShell alert) Parent alert generated for malicious use of PowerShell | Telemetry-Tainted 7 | Telemetry showing authentication (logon) ID mismatch between parent and child processes Telemetry showing svhost.exe seclogon event for token login id 0x9b6855 (10184789), used by the spawned powershell.exe | Telemetry 10 | Telemetry showing an elevated PowerShell being spawned under the context of user Bob from an unelevated parent process General Behavior alert for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent | General Behavior Telemetry 40 | Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0x10530b3 Telemetry showing group membership of token logon ID 0x10530b3 associated with user Bob, which includes S-1-16-12288 (High Mandatory Level) | Telemetry-Configuration Change 7 | Specific Behavior alert for a possible UAC bypass. Telemetry showing an integrity level change for powershell.exe | Telemetry Specific Behavior 70 | Parent alert for \"Suspicious sequence of exploration activities\" showing powershell.exe process tainting this event Telemetry showing medium integrity powershell.exe process executing Invoke-BypassUACTokenManipulation as user Bob Telemetry showing high integrity powershell.exe process as Bob Telemetry showing high integrity powershell.exe process as SYSTEM | Telemetry-Tainted 7 | Telemetry showing powershell.exe running as high integrity level (12288) Indicator of Compromise alert identifying a PowerShell Empire script performing the bypass UAC attack. Telemetry showing powershell.exe running as medium integrity level (8192) | Telemetry Indicator of Compromise 30 | | None 0 | Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not shown in this view) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Process Discovery
Discovery
(T1057) | 2.C.1 | Cobalt Strike: 'ps' (Process status) via Win32 APIs | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Enrichment-Tainted 12 | | None 0 | | None 0 |
2.C.2 | Cobalt Strike: 'tasklist /v' via cmd | Telemetry from process tree showing tasklist.exe with command-line arguments Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery) | Telemetry Enrichment 25 | Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (tasklist not specifically shown) Email excerpt from the OverWatch team indicating tasklist was a reconnaissance command (General Behavior) Telemetry showing tasklist with command-line arguments | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing tasklist with command-line arguments | Telemetry-Tainted 7 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Telemetry showing tasklist.exe with command-line arguments (tainted by parent Malicious File Detection) Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) | Telemetry-Tainted General Behavior-Configuration Change-Delayed-Tainted 28 | General Behavior alert showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe) General Behavior alert for rundll32.exe launching cmd.exe (executing tasklist) Telemetry showing tasklist.exe with command-line arguments | General Behavior Telemetry General Behavior 70 | Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating tasklist was used to enumerate current running processes (Specific Behavior) Excerpt from the Managed Defense Report with additional details about tasklist | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing tasklist.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe Telemetry showing execution sequence for tasklist.exe with command-line arguments General Behavior alert on suspicious sequence of exploration activities | Telemetry General Behavior-Delayed 37 | Enrichment of the execution of tasklist.exe as the enumeration of running processes via the command line (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of tasklist.exe executing with a related ATT&CK Technique (System Information Discovery) Telemetry showing cmd.exe executing tasklist with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment Enrichment-Tainted 34 | Telemetry showing tasklist.exe with command-line arguments Additional telemetry showing tasklist.exe with command-line arguments | Telemetry 10 | Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
3.B.1 | Cobalt Strike: 'ps' (Process status) via Win32 APIs | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Enrichment-Tainted 12 | | None 0 | | None 0 |
8.B.1 | Cobalt Strike: 'ps' (Process status) via Win32 APIs | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Enrichment-Tainted 12 | | None 0 | | None 0 |
12.C.1 | Empire: 'qprocess *' via PowerShell | Telemetry from process tree showing qprocess.exe with command-line arguments Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery) | Telemetry Enrichment 25 | Telemetry showing qprocess.exe with command-line arguments (tainted by parent Script File Created alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating qprocess was part of basic reconnaissance activity (General Behavior) OverWatch General Behavior alert and telemetry indicating qprocess.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity) | General Behavior-Delayed-Tainted Telemetry General Behavior-Delayed 61 | Enrichment of qprocess.exe executing with correct ATT&CK Technique (Process Discovery) and Tactic (Discovery) (tainted by a parent PowerShell alert) Enrichment of qprocess.exe executing with labels for Reconnaissance and Local process discovery | Enrichment-Tainted Telemetry 22 | Event tree view of telemetry showing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts) | Telemetry-Tainted 7 | Telemetry showing powershell.exe executing qprocess.exe with command-line arguments Enrichment of qprocess.exe as listing running processes and possibly a sign of reconnaissance General Behavior alert showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe) | Enrichment Telemetry General Behavior 55 | Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating qprocess.exe was a reconnaissance command used (General Behavior) | Enrichment General Behavior-Delayed 42 | Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes | Telemetry-Tainted Enrichment Enrichment 37 | Telemetry showing execution sequence of powershell.exe executing qprocess.exe with command-line arguments Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process | Telemetry-Tainted 7 | Enrichment of execution of qprocess.exe as the enumeration of running processes via the command line (tainted by a parent alert on wscript.exe) Enrichment of qprocess.exe executing with a related ATT&CK Technique (System Service Discovery) Telemetry showing powershell.exe executing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing qprocess.exe with command-line arguments | Telemetry 10 | Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter) Threat story showing initial compromise alert and powershell.exe tainting qprocess.exe | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Data Encrypted
Exfiltration
(T1022) | 19.B.1 | Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file | Telemetry showing recycler.exe and command-line arguments with encryption password Enrichment of recycler.exe with correct ATT&CK Technique (1022 - Data Encrypted) | Telemetry Enrichment 25 | Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts) Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) | Enrichment-Tainted-Configuration Change Telemetry-Tainted 16 | Specific Behavior alert showing use of -hp flags within command-line (mapped to related ATT&CK Technique, Data Compressed, and correct Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior) | Specific Behavior-Tainted Telemetry Specific Behavior-Delayed 124 | Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing recycler.exe execution | Telemetry General Behavior 40 | Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1022 - Data Encrypted) Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) General Behavior alert for Execution from Suspicious Directory General Behavior alert for File Write To Root Of Recycle Bin Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior) | General Behavior Enrichment Enrichment General Behavior Enrichment Specific Behavior-Delayed 162 | Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe) Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown) | Telemetry-Tainted 7 | Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments | Telemetry 10 | Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID Telemetry showing the execution of recycler.exe | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Input Capture
collection, Credential Access
(T1056) | 8.C.1 | Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie | | None 0 | Command-Line Interface view for host Nimda kicking off DDNA Scan for PID 11252 (does not count as a detection) DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection) Telemetry showing remote thread being created into explorer.exe (does not count as a detection) | None 0 | Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection) | None 0 | Alert for Chain of Injections for powershell.exe injecting into cmd.exe (does not count as detection) Alert showing loaded keyloggerx64.dll module (does not count as detection) Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection) Alert for Chain of Injections showing powershell.exe injecting into explorer.exe (does not count as detection) | None 0 | Event tree showing a Process Injection alert from which strings were pulled (does not count as a detection) Strings output extracted from Process Injection alert, showing key definitions typically associated with a keylogger, but no evidence of execution (does not count as a detection) | None 0 | | None 0 | | None 0 | Alert that cmd.exe obtained a handle to the memory thread and injected code into explorer.exe (does not count as detection) | None 0 | Telemetry showing explorer.exe reading user keystrokes Specific Behavior alert for \"Possible keylogging activity\" against explorer.exe Execution sequence showing cmd.exe injecting into explorer.exe (does not count as a detection) | Telemetry-Configuration Change Specific Behavior-Delayed 64 | Telemetry showing code injection into explorer.exe (does not count as a detection) Telemetry showing hook injection from explorer.exe (does not count as a detection) Enrichment of the execution of a specific API call as keylogging and suspicious activity | Enrichment 15 | Floating Code module output showing keylogger key definitions (does not count as a detection) Floating Code module output showing keylogger aggressor script (does not count as a detection) | None 0 | Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view) Telemetry showing process injection into explorer.exe (does not count as a detection) | Telemetry-Tainted 7 |
15.A.1 | Empire: Built-in keylogging module executed to capture keystrokes of user Bob | Telemetry showing modloads associated with keylogger Enrichment of data with tag \"PowerShell Input Capture -keylogger\" | Telemetry Enrichment 25 | | None 0 | Excerpt from email sent by OverWatch team indicating IT_tasks.txt was retrieved as a file of interest (General Behavior) Telemetry showing FsPostOpen event for IT_tasks.txt Telemetry showing file read event for IT_tasks.txt | Telemetry General Behavior-Delayed 37 | Indicator of Compromise alert for Malicious Command Get-Keystrokes Telemetry showing modloads associated with a keylogger | Indicator of Compromise Telemetry 30 | Telemetry showing PowerShell Script Block logging with execution of Get-KeyStrokes (does not count as a detection) | None 0 | Telemetry showing powershell.exe executing the GetAsyncKeyState method Enrichment of powershell.exe with a tag indicating .NET keylogging | Telemetry Enrichment 25 | PowerShell activity during the time of the keylogging (does not count as detection) | None 0 | | None 0 | Telemetry showing execution of Get-Keystrokes cmdlet Telemetry showing keylogger events Specific Behavior alert for keylogging activity from powershell.exe Parent alert showing process tree view showing tainted relationship (specific instance of this technique not shown in the alert) | Telemetry-Tainted Specific Behavior-Delayed 64 | Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window Enrichment of the execution of a specific API call as keylogging and suspicious activity | Enrichment Indicator of Compromise 35 | | None 0 | Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown in this view) | Enrichment-Tainted 12 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Multiband Communication
Command and Control
(T1026) | 6.B.1 | Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS | Telemetry showing network connection over UDP port 53 Telemetry showing network connection over TCP port 80 | Telemetry 10 | Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by the parent \"Sponsor Process Established Network Connection\" alert) | Telemetry-Tainted 7 | Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server) Telemetry within an alert showing abnormally large DNS requests occurred (tainted by parent Exfiltration alert) | Telemetry-Tainted 7 | Telemetry showing the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain) (tainted by a parent Injected Shellcode alert, listed as Owner process) | Telemetry-Tainted 7 | Telemetry showing DNS connections Telemetry showing port 80 traffic (tainted by parent Malicious File Detection alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe making DNS queries Telemetry showing rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server) | Telemetry 10 | Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2 (Specific Behavior) Telemetry showing DNS requests (field name dnsLookupEvents/Generated) and HTTP requests (field name urlMonitorEvents/Generated) | Telemetry Specific Behavior-Delayed 67 | | None 0 | Telemetry showing execution sequence for rundll32.exe opening port 80 network connection Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection Telemetry showing DNS traffic to C2 domain | Telemetry-Tainted 7 | Telemetry showing ports 80 and 53 command and control traffic | Telemetry 10 | | None 0 | Telemetry showing port 80 connection to 192.168.0.4 (C2 server) Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Windows Admin Shares
Lateral Movement
(T1077) | 16.B.1 | Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5) | Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$ Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) | Telemetry Specific Behavior 70 | Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior) OverWatch General Behavior alert indicating successful net use connection to ADMIN$ was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown) Telemetry from process tree showing successful net use connection to ADMIN$ (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.) | Telemetry-Tainted General Behavior-Delayed-Tainted General Behavior-Delayed 58 | Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted Telemetry 67 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt (tainted by parent PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | Specific Behavior alerts for net.exe connecting to a remote administrative share General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing a net use logon attempt to ADMIN$ shares | Telemetry Specific Behavior General Behavior 100 | Enrichment of net.exe logon attempt to ADMIN$ with Net Use Command Execution alert (tagged with the correct ATT&CK Technique, 1077 - Windows Admin Shares, and Tactic, Lateral Movement) Excerpt from the Managed Defense Report indicating the attacker accessed Conficker by mounting the ADMIN$ share (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe) Specific Behavior alert for the net utility executed to authenticate to a remote admin share with valid accounts, tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) | Telemetry-Tainted Specific Behavior 67 | Specific Behavior alert for brute force attempt to remote SMB shares Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted Specific Behavior-Delayed 64 | Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing logon attempt targeting ADMIN$ via net.exe and command-line arguments | Telemetry 10 | Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story) Telemetry showing net.exe logon attempts and corresponding exit codes | Telemetry-Tainted 7 |
16.D.1 | Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5) | Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) Telemetry showing process tree with successful net.exe logon targeting C$ | Telemetry Specific Behavior 70 | Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior) Telemetry showing process tree containing successful net use connection to C$ (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing alert net.exe execution (tainted by a parent PowerShell alert) Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted Telemetry 67 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt tagged with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing net.exe with command-line arguments | Telemetry General Behavior 40 | Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior) Enrichment of net1.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique, T1077 - Windows Admin Shares, and Tactic, Lateral Movement) | Enrichment Specific Behavior-Delayed 72 | Specific Behavior alert for the net utility removing a shared connection via PowerShell, mapped to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal) Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe) | Telemetry-Tainted Specific Behavior 67 | Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content) | Telemetry-Tainted 7 | Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing logon attempt targeting C$ via net.exe and command-line arguments | Telemetry 10 | Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story) | Telemetry-Tainted 7 |
16.A.1 | Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6) | Specific Behavior alerts for of the 4 different net.exe logon attempts Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$ | Telemetry Specific Behavior 70 | Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert) | Enrichment-Tainted 12 | Telemetry showing net use logon attempts to ADMIN$ shares Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior) Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry General Behavior-Delayed-Tainted General Behavior-Delayed 61 | Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert) Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted Telemetry 67 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for Mounting Hidden Shares, associated with each net.exe connection attempt (tainted by parent PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | Specific Behavior alerts for net.exe connecting to a remote administrative share Telemetry showing net use logon attempts to ADMIN$ shares General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) | Telemetry Specific Behavior General Behavior 100 | Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Bob Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Frieda Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick | Enrichment 15 | Telemetry showing powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe (tainted by a parent alert on powershell.exe) | Telemetry-Tainted 7 | Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content) Specific Behavior alert for brute force attempt to remote SMB shares Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server | Telemetry-Tainted Specific Behavior-Delayed 64 | Specific Behavior alert for a net.exe logon attempt to ADMIN$ tagged with the correct ATT&CK Technique (Windows Admin Shares) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local user Kmitnick (tainted by a parent alert on wscript.exe) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe) Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing logon attempts targeting ADMIN$ via net.exe and command-line arguments | Telemetry 10 | Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Clipboard Data
collection
(T1115) | 12.E.1.5 | Empire: WinEnum module included enumeration of clipboard contents | | None 0 | | None 0 | OverWatch alert indicating encoded PowerShell was suspicious (does not count as a detection) Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection) Telemetry showing encoded PowerShell, which decodes to show Windows.Clipboard details (does not count as a detection) | None 0 | Telemetry of the PowerShell function to gather clipboard data (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Interactive Shell events showing the WinEnum script and Clipboard Contents function (does not count as part of detection due to manual process of pulling events) Telemetry showing decoded PowerShell displaying Windows.Clipboard as part of WinEnum. The PowerShell process was tainted by parent PowerShell alerts. | Telemetry-Tainted 7 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function Indicator of Compromise alert for PowerShell Empire accessing the clipboard. | Telemetry Indicator of Compromise 30 | Excerpt from the Managed Defense Report indicating the attacker executed the Windows Clipboard capability of Empire (Indicator of Compromise) Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection) PowerShell Execution alert containing encoded PowerShell command (does not count as a detection) | Indicator of Compromise-Delayed 17 | Telemetry showing execution of an encoded PowerShell command (does not count as a detection) | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data) | Enrichment 15 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
New Service
Persistence, Privilege Escalation
(T1050) | 16.I.1 | Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4) | Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service | Telemetry Specific Behavior 70 | Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert) Specific Behavior alert for \"\"New Windows service created\"\" and additional alert for \"Windows Service Registry Key modified\" | Telemetry-Tainted Specific Behavior-Configuration Change 64 | Telemetry from process tree showing sc.exe execution to create the AdobeUpdater service (tainted from previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed a newly created file (AdobeUpdater service in registry) to establish persistence (General Behavior) Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description | Telemetry-Tainted General Behavior-Delayed 34 | Specific Behavior alert for unconventional new service with correct ATT&CK Technique (New Service) and Tactics (Persistence, Privilege Escalation) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted Telemetry 67 | Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for new service AdobeUpdater creation on Creeper tagged with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence) | Telemetry-Tainted Enrichment-Delayed-Tainted Specific Behavior 76 | General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing sc.exe with command-line arguments Specific Behavior alert for sc.exe used with parameters typical for lateral movement | Telemetry Specific Behavior General Behavior 100 | Excerpt from the Managed Defense Report indicating sc.exe was used to create a new service (Specific Behavior) Additional details on enrichment of sc.exe with SC Execution alert Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with correct ATT&CK Technique, T1050 - New Service, and Tactic, Discovery) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe) Telemetry showing that a new service was added Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool | Telemetry-Tainted Enrichment 22 | Specific Behavior alert on suspicious service registration on Creeper Telemetry showing AdobeUpdater service registry information that was changed on Creeper Telemetry from CodeRed showing execution sequence of sc.exe AdobeUpdater remote service creation Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted Specific Behavior 67 | Enrichment of sc.exe executing with the correct ATT&CK Technique (New Service) Telemetry showing execution of sc.exe to create a new AdobeUpdater service (tainted by a parent alert on wscript.exe) Telemetry showing the creation of Registry keys associated with the AdobeUpdater service Specific Behavior alert for a new service created via the command line (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Specific Behavior-Tainted Enrichment 79 | Telemetry showing execution of sc.exe to create the AdobeUpdater service | Telemetry 10 | Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Permission Groups Discovery
Discovery
(T1069) | 12.E.1.2 | Empire: WinEnum module included enumeration of AD group memberships | | None 0 | Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) (does not count as a detection) | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the AD Group Memberships function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection) | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.F.1 | Empire: 'net group "Domain Admins" /domain' via PowerShell | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior) Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted from previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted Enrichment-Tainted General Behavior-Delayed 46 | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry) Enrichment on net group by Enumeration of Administrator Accounts alert (mapped to correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic (Discovery) | Telemetry-Tainted Enrichment-Tainted-Delayed Enrichment-Tainted 28 | Telemetry showing powershell.exe executing net.exe with command-line arguments General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) | General Behavior Telemetry 40 | Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins | Telemetry-Tainted Enrichment Enrichment 37 | Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe) Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe) Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery) | Telemetry-Tainted Enrichment-Tainted Enrichment-Tainted Enrichment 46 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
12.F.2 | Empire: 'net localgroup administrators' via PowerShell | Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity) Email excerpt from the OverWatch team indicating net localgroup was part of additional malicious discovery activity (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert) General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) | General Behavior-Tainted Telemetry 37 | Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry). The tree also shows Enumeration of Administrator Accounts alert. | Telemetry-Tainted Enrichment-Tainted-Delayed Enrichment-Tainted 28 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | General Behavior Telemetry 40 | Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior) Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery) | Enrichment General Behavior-Delayed 42 | Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups | Telemetry-Tainted Enrichment 22 | Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe) Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery) | Telemetry-Tainted Enrichment-Tainted Enrichment 34 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.F.1 | Cobalt Strike: 'net localgroup administrators' via cmd | Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) Enrichment of net.exe with tag Administrator Enumeration Telemetry from process tree showing net.exe with command-line arguments | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown) OverWatch General Behavior alert for net localgroup Telemetry showing net with command-line arguments Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed General Behavior-Delayed 61 | Telemetry showing cmd.exe executing net with command-line arguments Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert) Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) | Telemetry Enrichment-Tainted 22 | Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection) Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) | Telemetry-Tainted Enrichment-Tainted General Behavior-Configuration Change-Delayed-Tainted 40 | Telemetry showing net.exe with command-line arguments General Behavior alert for rundll32.exe launching cmd.exe (executing net) General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe) Enrichment of net.exe indicating it is commonly used for reconnaissance | General Behavior Enrichment Telemetry General Behavior 85 | Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior) Excerpt from the Managed Defense Report with additional details about net Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery) | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained | Telemetry-Tainted Enrichment 22 | General Behavior alert on suspicious sequence of exploration activities Telemetry showing execution sequence for net.exe with command-line arguments Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery) | Enrichment 15 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.F.3 | Cobalt Strike: 'net group "Domain Admins" /domain' via cmd | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) Enrichment of net.exe with tag Administrator Enumeration | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by orange line for medium severity from previous detection) Process tree showing all cmd.exe children under rundll32.exe (including net group) as tainted by orange line for medium severity Telemetry showing net with command-line arguments Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior) | Enrichment-Tainted Telemetry-Tainted General Behavior-Delayed 46 | General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert) Telemetry showing cmd.exe executing net with command-line arguments | Telemetry General Behavior-Tainted 37 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection) | Telemetry-Tainted Enrichment-Tainted General Behavior-Configuration Change-Delayed-Tainted 40 | Enrichment of net.exe indicating it is commonly used for reconnaissance Telemetry showing net.exe with command-line arguments General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe) | Enrichment Telemetry General Behavior 55 | Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report indicating the attacker enumerated the Domain Administrators group (Specific Behavior) Excerpt from the Managed Defense Report with additional details about net | Enrichment Specific Behavior-Delayed 72 | Enrichment of net group with a correct ATT&CK Tactic (Discovery) and Technique (Permission Group Discovery) and a suspicious indicator that a net utility was used to gather information of user groups Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing domain admins group discovery by Nimda at the domain controller Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments Telemetry showing execution sequence for net.exe with command-line arguments General Behavior alert on suspicious sequence of exploration activities | Telemetry General Behavior-Delayed 37 | Enrichment of the execution of net1.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Enrichment of the execution of net.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment-Tainted Enrichment-Tainted 31 | Event enrichment from IIOC module \"Enumerates domain administrators\" Telemetry showing net.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
2.F.2 | Cobalt Strike: 'net localgroup administrators /domain' via cmd | Telemetry from process tree showing net.exe with command-line arguments Enrichment of net.exe with tag Administrator Enumeration Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery) | Telemetry Enrichment 25 | Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert) | Enrichment-Tainted-Configuration Change 9 | Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown) Telemetry showing net with command-line arguments Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing cmd.exe executing net with command-line arguments Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert) Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery) | Telemetry Enrichment-Tainted 22 | General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection) Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection) Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection) | Telemetry-Tainted Enrichment-Tainted General Behavior-Configuration Change-Delayed-Tainted 40 | General Behavior alert for rundll32.exe launching cmd.exe (executing net) Enrichment of net.exe indicating it is commonly used for reconnaissance Telemetry showing net.exe with command-line arguments General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe) | General Behavior Enrichment Telemetry General Behavior 85 | Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior) Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery) Excerpt from the Managed Defense Report with additional details about net | Enrichment Specific Behavior-Delayed 72 | Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe) Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained | Telemetry-Tainted Enrichment 22 | General Behavior alert on suspicious sequence of exploration activities Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments Telemetry showing execution sequence for net.exe with command-line arguments | Telemetry General Behavior-Delayed 37 | Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery) | Enrichment 15 | Telemetry showing net.exe with command-line arguments | Telemetry 10 | Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Network Share Connection Removal
Defense Evasion
(T1126) | 16.C.1 | Empire: 'net use /delete' via PowerShell | Telemetry showing process tree with net.exe and command-line arguments Specific Behavior alerts for removing connected network share | Telemetry Specific Behavior 70 | Telemetry showing net.exe and command-line arguments (tainted by the parent \"Powershell executed remote commands\" alert) | Telemetry-Tainted 7 | Excerpt from email sent by OverWatch team indicating they observed ADMIN$ artifact removed (General Behavior) Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity) | Telemetry-Tainted General Behavior-Delayed 34 | General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert) | General Behavior-Tainted Telemetry 37 | Telemetry showing event tree containing net.exe and command-line argument (tainted by parent PowerShell alert) | Telemetry-Tainted 7 | General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing powershell.exe executing net.exe with command-line arguments | Telemetry General Behavior 40 | Telemetry showed net.exe executing with command-line arguments. Excerpt from the Managed Defense Report indicating the attacker unmounted the share from CodeRed (Specific Behavior) | Telemetry Specific Behavior-Delayed 67 | Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe) Specific Behavior alert for the net utility removing a shared connection via PowerShell, tagged to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content) Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) | Telemetry-Tainted 7 | Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal) Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing net.exe execution and command-line arguments | Telemetry 10 | Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
File Deletion
Defense Evasion
(T1107) | 19.D.1 | Empire: 'del C:\"$"Recycle.bin\old.rar' | Telemetry showing filemod (file modification) deletion of old.rar | Telemetry 10 | Telemetry showing powershell.exe deleting old.rar (tainted by the parent \"PowerShell executed encoded commands\" alert) | Telemetry-Tainted 7 | Email excerpt sent by OverWatch team indicating they observed old.rar being deleted (Specific Behavior) Telemetry showing deletion of old.rar | Telemetry Specific Behavior-Delayed 67 | Telemetry showing a deletion event for old.rar via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | | None 0 | Telemetry showing the deletion of old.rar | Telemetry 10 | | None 0 | | None 0 | Telemetry showing PowerShell executing the Remove-Item cmdlet (does not count as a detection) | None 0 | Telemetry showing the file delete event for old.rar (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Master file table on 10.0.1.5 (CodeRed) shows old.rar listed under deleted files (does not count as a detection) | None 0 | Telemetry exported from threat story showing the deletion of old.rar was tainted by prior activity because it was under the same Group ID | Telemetry-Tainted 7 |
19.D.2 | Empire: 'del recycler.exe' | Telemetry showing filemod (file modification) deletion of recycler.exe | Telemetry 10 | Telemetry showing powershell.exe deleting recycler.exe (tainted by the parent \"PowerShell executed encoded commands\" alert) | Telemetry-Tainted 7 | Email excerpt sent by OverWatch team indicating they observed recycler.exe being deleted (Specific Behavior) Telemetry showing deletion of recycler.exe | Telemetry Specific Behavior-Delayed 67 | Telemetry showing a deletion event for recycler.exe via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | Telemetry showing file deletion of recycler.exe | Telemetry 10 | Telemetry showing the deletion of recycler.exe | Telemetry 10 | | None 0 | Telemetry showing file deletion event for recycler.exe (tainted by a parent alert on cmd.exe) Enrichment of PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder | Telemetry-Tainted Enrichment 22 | | None 0 | Telemetry showing the file delete event for recycler.exe (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | | None 0 | Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the same Group ID | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Execution through API
Execution
(T1106) | 8.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
3.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
8.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
9.B.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
8.D.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
9.A.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
2.C.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
12.E.1 | | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Remote File Copy
Command and Control, Lateral Movement
(T1105) | 19.A.1 | Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5) | Telemetry showing filemod (file modification) creation of recycler.exe | Telemetry 10 | Telemetry showing creation of recycler.exe (tainted by \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) and powershell.exe behavior contributing to \"Policy Dropper Behavior\" alert General Behavior alert for \"Policy Dropper Behavior\" based on three correlated events | General Behavior-Configuration Change Telemetry-Tainted 34 | Telemetry showing network connection from 192.168.0.5 (C2 server) used by powershell.exe to transfer recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity) Telemetry showing file write of recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity) | Telemetry-Tainted 7 | Telemetry showing file create/write of recycler.exe (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | Telemetry showing file creation of recycler.exe by powershell.exe (tainted by parent PowerShell alerts) | Telemetry-Tainted 7 | Telemetry showing the creation of recycler.exe | Telemetry 10 | Enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy and Tactics, Command and Control, Lateral Movement) Excerpt from the Managed Defense Report indicating the attacker placed recycler.exe on the system (Specific Behavior) Continued enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert | Enrichment Specific Behavior-Delayed 72 | Telemetry showing file creation event for recycler.exe | Telemetry 10 | Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown) | Telemetry-Tainted 7 | General Behavior alert for executables created to disk by the Windows scripting engine (tainted by a parent alert on wscript.exe) General Behavior alert for PowerShell dropping an executable file to disk (tainted by a parent alert on wscript.exe) Telemetry showing the file create and write events for recycler.exe (tainted by a parent alert on wscript.exe) | Telemetry-Tainted General Behavior-Tainted General Behavior-Tainted 61 | Telemetry showing file write of recycler.exe | Telemetry 10 | Telemetry showing file write of recycler.exe Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID | Telemetry-Tainted 7 |
7.B.1 | Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6) | Telemetry showing updater.dll written to disk | Telemetry 10 | Telemetry showing creation of updater.dll (tainted by the parent \"Powershell process created\" alert) | Telemetry-Tainted 7 | Additional telemetry showing file write for updater.dll Telemetry showing file write for updater.dll (tainted by the parent \"unexpected process\" alert) | Telemetry-Tainted 7 | Telemetry showing the file write of updater.dll (tainted by a parent alert on cmd.exe, listed as Owner Process) Parent alert for updater.dll being detected as known malware | Telemetry-Tainted 7 | Telemetry showing creation of updater.dll (tainted by parent Malicious File Detection alert) | Telemetry-Tainted 7 | Enrichment of the creation of updater.dll identifying that a command prompt modified an unknown DLL | Enrichment 15 | Telemetry showing updater.dll file write (tainted by parent AV signature alert) Enrichment of updater.dll file write by cmd.exe with alert for CMD File Write (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and related ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution) | Enrichment Telemetry-Tainted 22 | Specific Behavior alert for a new PE file created in the Windows system (System32) folder Specific Behavior alert for a new dynamic library file created in the Windows system (System32) folder | Specific Behavior Specific Behavior 120 | Telemetry showing file write of updater.dll | Telemetry 10 | Telemetry showed the file create event for updater.dll Specific Behavior alert for a script engine creating/writing a DLL in the system32 folder (tainted by a parent process injection alert on cmd.exe) Specific Behavior alert for a Windows scripting engine creating an executable on disk | Telemetry Specific Behavior-Tainted Specific Behavior 127 | Telemetry showing file write event of updater.dll | Telemetry 10 | Telemetry showing file write of updater.dll (tainted by relationship to threat story) | Telemetry-Tainted 7 |
16.E.1 | Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5) | Telemetry showing creation and write to autoupdate.vbs | Telemetry 10 | Telemetry showing powershell.exe creating autoupdate.vbs (tainted by parent \"Powershell executed remote commands\" alerts) | Telemetry-Tainted 7 | Excerpt from email sent by OverWatch team indicating they observed autoupdate.vbs written (General Behavior) Telemetry showing File Write and New Script Write for autoupdate.vbs within powershell.exe (tainted by previous detection by orange line indicating medium severity) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing file write of autoupdate.vbs (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | Telemetry showing creation of autoupdate.vbs (tainted by parent PowerShell alert) | Telemetry-Tainted 7 | Telemetry showing the creation of autoupdate.vbs | Telemetry 10 | Additional details on enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert Enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy) and Tactics, Command and Control and Lateral Movement) | Enrichment 15 | Telemetry showing the creation of autoupdate.vbs Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell | Telemetry Enrichment 25 | Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry showing autoupdate.vbs creation (tainted by parent alert on PowerShell script with suspicious content) | Telemetry-Tainted 7 | Telemetry showing file create and write events for autoupdate.vbs | Telemetry 10 | Telemetry showing file write of autoupdate.vbs | Telemetry 10 | Telemetry showing creation and writes to autoupdate.vbs Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view) | Telemetry-Tainted 7 |
14.A.1 | Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk | | Telemetry 10 | Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating PowerShell retrieved the file wdbypass (Specific Behavior) | Specific Behavior-Delayed 57 | Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080 Specific Behavior alert for Download & execute of the wdbypass file | Specific Behavior-Tainted 57 | Telemetry showing decoded PowerShell with download request of wdbypass over port 8080 | Telemetry 10 | Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S) | Telemetry Specific Behavior 70 | Enrichment of HTTP GET request for wdbypass with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and Tactic, Command and Control) | Enrichment 15 | Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection) | None 0 | Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080 | Telemetry-Tainted 7 | Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability) | None 0 | Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability) | None 0 | | None 0 |
16.G.1 | Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4) | Telemetry showing remote creation and write to update.vbs | Telemetry 10 | Enrichment of powershell.exe creating update.vbs (tainted by parent \"Powershell executed remote commands\" alerts) | Enrichment-Tainted-Configuration Change 9 | Telemetry showing update.vbs with event_name NewScriptWritten indicating a write to C$ | Telemetry 10 | Telemetry of file events for write of update.vbs to Creeper (10.0.0.4) (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | | Telemetry 10 | Telemetry showing the creation of update.vbs | Telemetry 10 | Enrichment of powershell.exe writing update.vbs with File Write to Network Share alert Excerpt from the Managed Defense Report of the write of the autoupdate.vbs script (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell Telemetry showing the creation of update.vbs | Telemetry Enrichment 25 | Telemetry showing file creation of update.vbs on 10.0.0.4 (Creeper) Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert) Telemetry showing for remote creation of update.vbs on 10.0.0.4 (Creeper) from 10.0.1.5 (CodeRed) | Telemetry-Tainted 7 | Specific Behavior alert for a script being modified/moved to a remote location (tainted by a parent alert on wscript.exe) Telemetry showed file create and write events for update.vbs | Telemetry Specific Behavior-Tainted 67 | | None 0 | Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID not shown in this view) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Access Token Manipulation
Defense Evasion, Privilege Escalation
(T1134) | 3.A.1 | Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token | Telemetry showing svchost.exe activity related to token manipulation Telemetry showing svchost.exe command line arguments, specifically seclogon | Telemetry 10 | Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection) Alert for PowerShell process creation (does not count as a detection) | None 0 | | None 0 | Alert for malicious code injection into PowerShell (does not count as a detection) Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection) | None 0 | Telemetry showing powershell.exe spawned with token authentication id 100243447 Telemetry showing svhost.exe seclogon event for token login id 0x5f997f7 (100243447) | Telemetry 10 | Telemetry showing logon event for user Debbie with an elevated token Telemetry showing svchost.exe executed with the seclogon command-line argument | Telemetry 10 | Telemetry showing svchost.exe seclogon event for token login ID 0xfcf5fd Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level) | Telemetry-Configuration Change 7 | Telemetry showing a New Credentials logon event for user Debbie Telemetry showing svchost.exe, with the seclogon command-line argument | Telemetry-Delayed 7 | Telemetry showing svchost.exe execution with seclogon command-line argument then subsequent powershell.exe Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe | Telemetry-Tainted 7 | Telemetry showing logon event with an elevated token and new logon ID Telemetry showing svchost.exe executed with the seclogon command-line argument | Telemetry 10 | | None 0 | | None 0 |
5.B.1 | Cobalt Strike: Built-in token theft capability executed to change user context to George | Telemetry showing parent cmd.exe process running under user context Debbie Telemetry showing child cmd.exe process running under user context George | Telemetry 10 | | None 0 | Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George | Telemetry 10 | Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer.exe) | Telemetry-Tainted 7 | Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege Escalation alert) Specific Behavior alert on Privilege Escalation showing a process spawning (cmd.exe) with different tokens than the parent (rundll32.exe) (mapped to the correct ATT&CK Technique, T1134 - Access Token Manipulation, and Tactics, Privilege Escalation and Defense Evasion) | Specific Behavior Telemetry-Tainted 67 | Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation | Telemetry 10 | Telemetry showing the user George executing reg.exe with command-line arguments during Step 6 Telemetry showing the user Debbie executing net.exe with command-line arguments during Step 4 | Telemetry 10 | Telemetry showing a change in user execution context from Debbie to George between processes | Telemetry 10 | Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (inner failure message in screenshot not relevant to tested functionality) Telemetry showing resulting cmd.exe running as user George Telemetry showing svchost.exe invocation with seclogon flag subsequently running cmd.exe as SYSTEM | Telemetry-Tainted 7 | Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted 7 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Scripting
Defense Evasion, Execution
(T1064) | 1.A.1 | Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd) | Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting) | Telemetry Enrichment 25 | Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) | Telemetry-Tainted 7 | Telemetry showing pdfhelper.cmd execution OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious | General Behavior-Delayed Telemetry 37 | Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe) | Telemetry-Tainted 7 | Telemetry showing pdfhelper.cmd spawned as a child process of Resume Viewer.exe (tainted by parent Malicious File Detection alert) Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert) | Telemetry-Tainted 7 | Telemetry showing the execution of pdfhelper.cmd | General Behavior Telemetry 40 | Telemetry showing the child cmd.exe process running the pdfhelper.cmd script | Telemetry 10 | Process tree within trace detection containing cmd.exe executing pdfhelper.cmd (tainted by a parent alert on Resume Viewer.exe) Telemetry showing pdfhelper.cmd execution | Telemetry-Tainted 7 | Telemetry within the process tree showing the child cmd.exe process running the script pdfhelper.cmd | Telemetry 10 | Specific Behavior alert for execution of Windows script engine tagged with the correct ATT&CK Technique (Scripting) Telemetry showing cmd.exe launching pdfhelper.cmd | Telemetry Specific Behavior 70 | Telemetry showing Resume Viewer.exe execution (does not count as a detection) | None 0 | Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story) | Telemetry-Tainted 7 |
11.A.1 | Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed) | Enrichment of wscript.exe and powershell.exe with correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell) Specific Behavior alerts for Powershell scripting Telemetry showing process tree of script execution | Enrichment Telemetry Specific Behavior Specific Behavior 145 | Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert) Telemetry showing script execution (tainted by the parent Script File Created alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior) General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious Specific Behavior alert for PowerShell sharing characteristics with known exploit kits | Specific Behavior General Behavior-Delayed Telemetry Specific Behavior-Delayed 154 | Specific Behavior alert for powershell.exe, labeled with Command and Control and Malicious use of PowerShell Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert) Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent PowerShell alert) Specific Behavior alert tagged as obfuscated PowerShell payload and downloader mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell) | Specific Behavior Telemetry-Tainted 67 | Specific Behavior alert for powershell.exe also showing telemetry for script execution (mapped to related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution) Specific Behavior alert for wscript.exe launching powershell.exe (mapped to the correct ATT&CK Technique, T1064 - Scripting, and Tactic, Execution) | Specific Behavior Telemetry-Tainted Specific Behavior 127 | Specific Behavior alert for PowerShell executing a long, encoded command Telemetry showing wscript.exe executing autoupdate.vbs and subsequently powershell.exe Enrichment of wscript.exe executing powershell.exe with a tag indicating that wscript executed code | Telemetry Enrichment Specific Behavior 85 | Indicator of Compromise alert for EMPIRE RAT (tagged with related ATT&CK Technique, T1086 - PowerShell) Enrichment of wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T064 - Scripting, and Tactic, Execution) Additional details on Specific Behavior alert for Suspicious PowerShell Usage Specific Behavior alert for Suspicious PowerShell Usage showing powershell.exe execution (tagged with related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution) | Specific Behavior Enrichment Indicator of Compromise 95 | Specific Behavior alerts and enrichments for wcript.exe and powershell.exe Telemetry showing wscript.exe (executing autoupdate.vbs) then spawning powershell.exe (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Specific Behavior Specific Behavior Enrichment Enrichment Specific Behavior Specific Behavior 277 | Process tree of alert showing containing malicious PowerShell cmdlets related to Empire Telemetry showing PowerShell script metadata and decoded command-line arguments Specific Behavior alert for \"Suspicious PowerShell command-line\" Specific Behavior alert for \"PowerShell script with suspicious content\" detected through Antimalware Scan Interface extracted content Specific Behavior alert for PowerShell script with malicious cmdlets Telemetry showing execution of autoupdate.vbs script Telemetry showing execution of wscript.exe Telemetry showing execution of PowerShell cmdlets from wscript.exe | Telemetry Specific Behavior Specific Behavior-Delayed Specific Behavior 187 | Specific Behavior alert for execution of the windows script engine tagged with the correct ATT&CK Technique (Scripting) Telemetry showing powershell.exe running with command-line arguments (tainted by a parent alert on wscript.exe) Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe) Specific Behavior alert for suspicious PowerShell activity Specific Behavior alert for PowerShell (execution) tagged with a related Technique (PowerShell) Specific Behavior alert for PowerShell execution with base64 encoded commands Indicator of Compromise alert identifying PowerShell Empire Indicator of Compromise alerts for suspicious PowerShell strings | Specific Behavior Specific Behavior Specific Behavior Indicator of Compromise Indicator of Compromise Specific Behavior Telemetry-Tainted 287 | Telemetry showing the autoupdate.vbs script executed by wscript.exe | Telemetry 10 | General Behavior alert for execution of autoupdate.vbs listed as an active threat Telemetry showing wscript.exe and powershell.exe | Telemetry General Behavior 40 |
12.E.1 | Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques | Telemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality Telemetry showing powershell.exe execution | Telemetry 10 | Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) | Telemetry 10 | Telemetry showing the temp write of the ps1 script Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior) OverWatch Specific Behavior alert indicating the PowerShell script was malicious | Telemetry Specific Behavior-Delayed Specific Behavior-Delayed 124 | Specific Behavior alert for Malicious use of PowerShell (tainted by a parent PowerShell alert) Telemetry showing the temp write of the psm1 script module (tainted by a parent PowerShell alert) Specific Behavior alert for a PowerShell Malicious command, identified as the Invoke-WinEnum function | Specific Behavior-Tainted Telemetry-Tainted 64 | Specific Behavior alert for \"PowerShell with Unusual Arguments\" (tagged with correct ATT&CK Technique, T1086 - PowerShell, and Tactic, Execution; tainted by parent PowerShell alerts) Telemetry pulled by Interactive Shell showing the contents of the WinEnum script (does not count as a detection) Telemetry showing powershell.exe execution (ID 2397532) (tainted by parent PowerShell alerts) | Specific Behavior-Tainted Telemetry-Tainted 64 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | Enrichment of powershell.exe with PowerShell Execution alert (tagged with related ATT&CK Technique T1086 - PowerShell) Excerpt from the Managed Defense Report indicating a PowerShell command was run from Empire (Specific Behavior) | Enrichment Specific Behavior-Delayed 72 | Telemetry showing the PowerShell script (.ps1) being written to the temp folder | Telemetry 10 | Additional telemetry showing powershell.exe execution sequence resulting from WinEnum Telemetry showing powershell.exe execution sequence resulting from WinEnum Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process Specific Behavior alert for \"A malicious PowerShell Cmdlet was invoked on the machine\" Process tree under alert \"A malicious PowerShell Cmdlet was invoked on the machine\" showing Invoke-Empire and Invoke-WinEnum | Telemetry-Tainted Specific Behavior 67 | Telemetry showing powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk (tainted by a parent alert on wscript.exe) Specific Behavior alert for PowerShell execution with base64 encoded commands (tainted by a parent alert on wscript.exe) Indicator of Compromise alert identifying suspicious PowerShell strings as Empire WinEnum | Telemetry-Tainted Specific Behavior-Tainted Indicator of Compromise 84 | Telemetry showing a PowerShell script written to disk | Telemetry 10 | Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Credential Dumping
Credential Access
(T1003) | 5.A.1 | Cobalt Strike: Built-in Mimikatz credential dump capability executed | Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping) Telemetry showing cross process events, specifically a handle to open thread into lsass.exe | Telemetry Specific Behavior 70 | Alert showing DDNA Scan for svchost.exe (does not count as a detection) Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection) Alert showing DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection) | None 0 | Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity ) | Specific Behavior-Tainted Telemetry General Behavior-Delayed-Tainted 91 | Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details about svchost.exe accessing lsass | Specific Behavior 60 | Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping) | Specific Behavior 60 | | None 0 | | None 0 | | None 0 | Alert for suspicious process injection showing tainted association via a process tree containing svchost.exe (inner failure message in screenshot not relevant to tested functionality) Specific Behavior alert description for sensitive credential memory read Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe Process tree for sensitive credential memory read alert | Enrichment-Tainted Specific Behavior-Delayed 69 | A Specific Behavior alert for a suspicious handle being opened to lsass.exe to dump password, tagged with the correct ATT&CK Technique (Credential Dumping) | Specific Behavior 60 | | None 0 | | None 0 |
5.A.2 | Cobalt Strike: Built-in hash dump capability executed | Telemetry showing cross process events, specifically a handle to open thread into lsass.exe | Telemetry 10 | Telemetry showing thread create to lsass.exe (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts) | Telemetry-Tainted 7 | Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity ) Two Specific Behavior alerts for Credential Dumping (mapped to correct ATT&CK Technique, Credential Dumping, and Tactic, Credential Access) and General Behavior OverWatch alert | Specific Behavior-Tainted Specific Behavior-Tainted Telemetry General Behavior-Delayed-Tainted 148 | Parent alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection Telemetry showing svchost.exe process injection into lsass.exe (tainted by a parent injection alert) Telemetry within alert showing loaded hashdumpx64.dll as floating executable code | Telemetry-Tainted 7 | Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping) | Specific Behavior 60 | Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumping | Enrichment 15 | | None 0 | | None 0 | Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested functionality) Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe | Enrichment-Tainted 12 | Specific Behavior alert for svchost dumping credentials via the Registry tagged with the correct ATT&CK Technique (Credential Dumping) Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe) | Telemetry-Tainted Specific Behavior 67 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Exfiltration Over Command and Control Channel
Exfiltration
(T1041) | 9.B.1 | Cobalt Strike: Download capability exfiltrated data through existing C2 channel | | None 0 | | None 0 | | None 0 | Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection) | None 0 | | None 0 | | None 0 | DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection) | None 0 | | None 0 | | None 0 | Port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) (does not count as a detection) | None 0 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Registry Run Keys / Startup Folder
Persistence
(T1060) | 10.A.1 | Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32 | Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder | Telemetry 10 | Telemetry showing cmd.exe starting rundll32.exe Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup | Telemetry 10 | Telemetry showing cmd.exe running autoupdate.bat from Startup folder | Telemetry 10 | Parent alert for Injected shellcode into rundll32.exe Telemetry showing rundll32.exe executing autoupdate.bat from the Startup folder (tainted by a parent Injected Shellcode alert) | Telemetry-Tainted 7 | Telemetry showing rundll32.exe executing update.dat (tainted by parent \"RunDLL32 with Suspicious DLL Location\" alert) | Telemetry-Tainted 7 | Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder Specific Behavior alert for a batch file automatically being started from the Startup folder. | Specific Behavior Telemetry 70 | Enrichment of cmd.exe executing from Startup with Process Execution Startup alert (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Startup Folder and Tactic, Persistence) Telemetry showing cmd.exe executing autoupdate.bat from Startup folder Telemetry showing rundll32.exe executing update.dat (tainted by parent Rundll32 Execution alert) Additional details of rundll32.exe telemetry Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior) | Enrichment Telemetry Telemetry-Tainted Specific Behavior-Delayed 89 | Telemetry showing cmd.exe executing autoupdate.bat then update.dat via rundll32.exe | Telemetry 10 | Telemetry showing Startup folder execution sequence for autoupdate.bat on user logon | Telemetry 10 | Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder | Telemetry 10 | Telemetry showing the execution of autoupdate.bat from the Startup Folder | Telemetry 10 | Group ID query showing both autoupdate.bat and updater.dll persistence execution Telemetry showing execution of autoupdate.bat from the Startup folder | Telemetry 10 |
1.B.1 | Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder | Telemetry showing filemods indicating update.bat was written to the Startup folder Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder) | Telemetry Enrichment 25 | Telemetry showing autoupdate.bat created in Startup folder | Telemetry 10 | Telemetry showing Registry modification related to Startup Folder | Telemetry 10 | Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe) Telemetry showing rename file event for autoupdate.bat | Telemetry-Tainted 7 | \"Detected Persistence - Start Folder Persistence\" Specific Behavior alert related to autoupdate.bat (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Start Folder, and Tactic, Persistence; tainted by cmd.exe generating the alert) Telemetry showing autoupdate.bat written to the Start Menu (tainted by parent Malicious File Detection alert) | Telemetry-Tainted Specific Behavior-Tainted 64 | Telemetry showing the autoupdate.bat within the Startup folder | Telemetry 10 | Telemetry showing autoupdate.bat file written to the Startup folder Enrichment of autoupdate.bat being written to Startup with Persistence category Additional details on enrichment of autoupdate.dat Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup directory (Specific Behavior) | Telemetry Enrichment Specific Behavior-Delayed 82 | Specific Behavior alert for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd, tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder) | Specific Behavior 60 | Telemetry showing write of autoupdate.bat to startup folder | Telemetry 10 | Enrichment of a file being created in the Startup folder tagged with the correct ATT&CK Technique (Registry Run Keys / Start Folder) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing autoupdate.bat being moved to the user Debbie's Startup folder (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Enrichment-Tainted-Configuration Change 16 | Telemetry showing cmd.exe \"rename to executable\" event for autoupdate.bat in Startup folder | Telemetry 10 | Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Graphical User Interface
Execution
(T1061) | 7.A.1 | Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) | Telemetry-Tainted 7 | Telemetry showing mmc.exe running lursmgr.msc | Telemetry 10 | Telemetry showing lusrmgr.msc running from mmc.exe | Telemetry 10 | Telemetry showing mmc.exe running lursmgr.msc | Telemetry 10 | Telemetry showing mmc.exe running lursmgr.msc | Telemetry 10 | Telemetry showing mmc.exe spawning lusrmgr.exe | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Telemetry showing mmc.exe running lusrmgr.msc | Telemetry 10 | Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface) Telemetry showing lusrmgr.msc running from mmc.exe | Telemetry Enrichment 25 | | None 0 | | None 0 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Exfiltration Over Alternative Protocol
Exfiltration
(T1048) | 19.C.1 | Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel | Enrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol) Telemetry from process tree showing execution of ftp.exe with command-line arguments | Telemetry Enrichment 25 | Telemetry showing powershell.exe executing ftp.exe (tainted by the parent \"Powershell executed encoded commands\" alert) Telemetry showing outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by the parent \"PowerShell executed encoded commands\" alert) | Telemetry-Tainted 7 | Email excerpt sent by OverWatch team indicating they observed the collected files being exfiltrated via FTP (Specific Behavior) OverWatch General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious (tainted by previous powershell.exe detection by red line indicating high severity) | General Behavior-Delayed-Tainted Telemetry Specific Behavior-Delayed 91 | Enrichment of ftp.exe execution with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert) Enrichment of ftp.exe execution in process tree with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert) Continuation of enrichment of ftp.exe execution in process tree showing command-line arguments Continuation of enrichment of ftp.exe execution showing total number of bytes transmitted | Enrichment-Tainted Telemetry 22 | Telemetry showing the ftp.exe with command-line arguments including ftp.txt and subsequent connection to 192.168.0.4 (C2 server) on port 21 | Telemetry-Tainted 7 | A Specific Behavior alert for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration Telemetry showing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 | Specific Behavior Telemetry 70 | Enrichment of ftp.exe executing the ftp.txt file with FTP Utility Execution alert (tagged with the correct ATT&CK Software, S0095 - FTP) Excerpt from the Managed Defense Report showing the writing of FTP command to ftp.txt and the subsequent execution of the ftp.txt file (Specific Behavior) Enrichment of TCP port 21 connection to 192.168.0.4 (C2 server) (tagged with correct ATT&CK Technique, T1048 - Exfiltration Over Alternative Protocol and, Tactic, Exfiltration) Enrichment of ftp.exe executing ftp.exe based on the use of the -s argument with FTP Utility Execution alert | Enrichment Enrichment Enrichment Specific Behavior-Delayed 102 | Enrichment of powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol Telemetry showing cmd.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a trace detection on cmd.exe) | Telemetry-Tainted Enrichment 22 | Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 21 Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 20 Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown) | Telemetry-Tainted 7 | Telemetry showing ftp.exe execution (tainted by a parent alert on wscript.exe) Enrichment of ftp.exe as the execution of a CLI file transfer/copy utility (tainted by a parent alert on wscript.exe) Telemetry showing an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted 19 | Telemetry showing the execution ftp.exe | Telemetry 10 | Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group ID | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Security Software Discovery
Discovery
(T1063) | 12.E.1.10.2 | Empire: WinEnum module included enumeration of firewall rules | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the Firewall Rules function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery) | Enrichment 15 | | None 0 | | None 0 |
12.E.1.10.1 | Empire: WinEnum module included enumeration of AV solutions | | None 0 | | None 0 | | None 0 | | None 0 | Interactive Shell events showing the WinEnum script and the AV Solution function (does not count as a detection due to manual process of pulling events) | None 0 | Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function | Telemetry 10 | | None 0 | | None 0 | | None 0 | Telemetry showing an event log for the WMI query of the system AV products | Telemetry 10 | | None 0 | Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story) Enrichment of powershell.exe with action \"attempted to find other installed security software\" (tainted Group ID not shown but was the search parameter) | Enrichment-Tainted Telemetry-Tainted 19 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Data Compressed
Exfiltration
(T1002) | 19.B.1 | Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file | Enrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed) Process tree with telemetry showing recycler.exe and command-line arguments Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe | Telemetry Enrichment 25 | Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts) Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) | Enrichment-Tainted-Configuration Change Telemetry-Tainted 16 | Specific Behavior alert on RAR archive written (mapped to correct ATT&CK Technique, Data Compressed, and Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity) Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior) Additional details of recycler.exe from the alert showing it was signed by win.rar GmbH | Specific Behavior-Tainted Telemetry Specific Behavior-Delayed 124 | Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry) Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert) | Specific Behavior-Tainted Telemetry-Tainted Enrichment-Delayed-Tainted 73 | General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe) Telemetry showing the creation of old.rar as the output of recycler.exe running Telemetry showing recycler.exe execution | Telemetry General Behavior 40 | Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed) Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) General Behavior alert for Execution from Suspicious Directory General Behavior alert for File Write To Root Of Recycle Bin Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration) Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior) | General Behavior Enrichment Enrichment General Behavior Enrichment Specific Behavior-Delayed 162 | Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe) Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown) | Telemetry-Tainted 7 | Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe) | Telemetry-Tainted 7 | Telemetry showing execution of recycler.exe with command-line arguments | Telemetry 10 | Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID Telemetry showing the execution of recycler.exe | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Commonly Used Port
Command and Control
(T1043) | 6.B.1 | Cobalt Strike: C2 channel modified to use port 80 | Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server) Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port) | Telemetry Enrichment 25 | Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent \"Sponsor Process Established Network Connection\" alert) | Telemetry-Tainted 7 | Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server) | Telemetry 10 | Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner process) Enrichment of rundll32.exe making a connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent Injected Shellcode alert) | Enrichment-Tainted Telemetry-Tainted 19 | Telemetry showing a TCP port 80 connection from rundll32.exe Telemetry showing port 80 traffic (tainted by the parent Malicious File Detection alert) | Telemetry-Tainted 7 | Telemetry showing network connections over port 80 to 192.168.0.4 (C2 server) | Telemetry 10 | Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior) Telemetry showing port 80 connections to 192.168.0.4 (C2 server) | Telemetry General Behavior-Delayed 37 | Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain) Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port) | Telemetry Enrichment 25 | Telemetry showing execution sequence for rundll32.exe opening network connection Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection | Telemetry-Tainted 7 | Telemetry showing port 80 command and control traffic | Telemetry 10 | Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain) | Telemetry 10 | Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view) | Telemetry-Tainted 7 |
1.C.1 | Cobalt Strike: C2 channel established using port 53 | Telemetry showing network connection over UDP port 53 | Telemetry 10 | | None 0 | OverWatch alert showing suspicious DNS traffic (does not count as a detection) | None 0 | Telemetry showing port 53 command and control traffic | Telemetry 10 | | None 0 | | None 0 | Telemetry showing port 53 command and control traffic Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior) | Telemetry Specific Behavior-Delayed 67 | | None 0 | Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection) | None 0 | Specific Behavior alert for a scripting engine (rundll32.exe) making a network connection over DNS ports (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) Telemetry showing port 53 command and control traffic (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine) | Telemetry-Tainted Specific Behavior-Tainted 64 | | None 0 | | None 0 |
14.A.1 | Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080 | Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080 | Telemetry 10 | Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert) | Telemetry-Tainted 7 | Telemetry showing IEX connection over to 192.168.0.5 (C2 server) on TCP port 8080 | Telemetry 10 | Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080 Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent PowerShell alert) | Specific Behavior-Tainted Telemetry 67 | Telemetry showing decoded PowerShell with download request of wdbypass over port 8080 General Behavior alert for Command and Control associated with network traffic from PowerShell over TCP port 8080 | General Behavior Telemetry 40 | Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass | Telemetry 10 | Telemetry showing TCP port 8080 connection to freegoogleadsenseinfo.com (C2 domain) (tainted by parent PowerShell URL Request alert) Excerpt from the Managed Defense Report indicating Empire communicated over port 8080 (General Behavior) Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 8080 (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Telemetry showing a network connection to 192.168.0.5 (C2 server) over TCP port 8080 | Telemetry 10 | Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080 | Telemetry-Tainted 7 | Telemetry showing an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080 | Telemetry 10 | Telemetry of decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability) Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080 | Telemetry 10 | Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not shown in this view) | Telemetry-Tainted 7 |
11.B.1 | Empire: C2 channel established using port 443 | Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port) Telemetry showing network connections, including over TCP port 443 | Enrichment Telemetry 25 | Telemetry showing powershell.exe making a network connection over TCP port 443 | Telemetry 10 | Telemetry showing powershell.exe making a network connection over port 443 (tainted by parent powershell.exe high severity alert indicated by red icon) | Telemetry-Tainted 7 | Enrichment of powershell.exe making a connection over a ”HTTP Port," tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) (tainted by a parent PowerShell alert) Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 (C2 Server) over port TCP port 443 (tainted by a parent PowerShell alert) Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert) | Enrichment-Tainted Telemetry-Tainted 19 | Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert) Telemetry showing powershell.exe making connections over port 443 (tainted by parent alert) Specific Behavior alert for \"PowerShell Making Network Connections\" (mapped to correct ATT&CK Tactic, Command and Control) Event tree view of Specific Behavior alert for \"Command and Control PowerShell Network\"(tainted by parent alert) | Telemetry-Tainted Specific Behavior-Tainted 64 | Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain) | Telemetry 10 | Excerpt from the Managed Defense Report indicating Empire communicated over port 443 (General Behavior) Telemetry showing powershell.exe communicating over TCP port 443 (tainted by parent PowerShell Network Connection alert) Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 443 (General Behavior) | Telemetry-Tainted General Behavior-Delayed 34 | Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Specific Behavior Enrichment 82 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) Telemetry showing powershell.exe communicating over TCP port 443 Telemetry within alert showing decoded command-line arguments containing port 443 and tainted relationship to the powershell.exe process | Telemetry-Tainted 7 | Enrichment of the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port) (tainted by a parent alert on wscript.exe) Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe) General Behavior alerts for PowerShell making network connections to the internet as well as Wscript connecting to an external network (tainted by a parent alert on wscript.exe) | Telemetry-Tainted Enrichment-Tainted General Behavior-Tainted 46 | Telemetry showing network connections, including over port 443 (does not count as a detection) | None 0 | Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was not shown in this view) | Telemetry-Tainted 7 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
Accessibility Features
Persistence, Privilege Escalation
(T1015) | 17.C.1 | Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe | Specific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibility Features) Telemetry showing creation and file write replacing magnify.exe in the system directory | Telemetry Specific Behavior 70 | Telemetry showing copy of cmd.exe to magnify.exe in the system directory (tainted by the parent \"New Windows service created\" alert) Enrichment showing powershell.exe creating and writing magnify.exe (enriched with condition \"Creation of Sticky Keys File\", tainted by the parent \"New Windows service created\" alert) | Enrichment-Tainted-Configuration Change Telemetry-Tainted 16 | Additional view of telemetry showing the magnify.exe file write Telemetry showing file write of magnify.exe by powershell.exe (tainted by parent powershell.exe high severity alert indicated by red icon) | Telemetry-Tainted 7 | Telemetry showing creation and write events for magnify.exe (tainted by a parent PowerShell alert, listed as Owner process) | Telemetry-Tainted 7 | Enriched event tree showing enrichment of magnify.exe overwrite with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe, tree is initially available unenriched to show the base telemetry) Specific Behavior alert on overwrite of magnify.exe named \"Persistence-Accessibility Features\" tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe) | Specific Behavior Telemetry-Tainted Enrichment-Delayed-Tainted 76 | Telemetry showing powershell.exe overwriting magnify.exe with cmd.exe via the copy command Specific Behavior alert for the modification of an accessibility features binary known to be used for privilege escalation | Specific Behavior Telemetry Enrichment 85 | Specific Behavior alert on overwrite of magnify.exe for Suspicious Accessibility Features Replacement (BACKDOOR) (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence) Excerpt from the Managed Defense Report indicating the attacker overwrote magnifier.exe (Specific Behavior) Specific Behavior alert on overwrite of the magnify.exe for Accessibility Feature File Write (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence) | Specific Behavior Specific Behavior Specific Behavior-Delayed 177 | Telemetry showing a file modification event for Magnifier.exe A General Behavior alert for powershell.exe altering the attributes of an executable file under the Windows system folder | Telemetry General Behavior 40 | Telemetry showing overwrite of magnify.exe Binary metadata and reputation information showing magnify.exe is cmd.exe due to names observed and common hash Specific Behavior alert on sticky keys binary hijack for persistence when magnify.exe was overwritten | Telemetry Specific Behavior 70 | Telemetry showing change in the hash of magnify.exe Telemetry showing file write events overwriting magnify.exe in the system directory (tainted by a parent alert on cmd.exe) | Telemetry-Tainted 7 | Magnify.exe hash matches cmd.exe (top two hashes in Tracking pane, file names and full hash values cut off) Telemetry showing file write to magnify.exe in the system directory | Telemetry 10 | Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lateral movement threat story; Group ID not shown in this view) | Telemetry-Tainted 7 |
20.A.1 | magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4) | Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe showing red severity scores Telemetry from process tree telemetry showing magnify.exe execution | Telemetry Specific Behavior General Behavior General Behavior 130 | Telemetry showing magnify.exe (tainted by the parent POS Interactive Login Event alert) | Telemetry-Tainted 7 | Email excerpt from the OverWatch team indicating they observed a Windows logon bypass (General Behavior) File details of magnify.exe in Accessibility Features Specific Behavior alert identifying it as cmd.exe by hash and common name Specific Behavior alert showing magnify.exe executing from utilman.exe (mapped to correct ATT&CK Technique, Accessibility Features, and Tactic, Persistence; pink indicates critical severity) | Specific Behavior Telemetry General Behavior-Delayed 97 | Specific Behavior alert for magnify.exe, in process tree, masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features) Specific Behavior alert for magnify.exe masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features) | Specific Behavior Telemetry 70 | Specific Behavior alert on Windows File Name Mismatch showing magnify.exe was renamed from cmd.exe and tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) Enrichment of magnify.exe with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry) | Specific Behavior Telemetry-Tainted Enrichment-Delayed-Tainted 76 | Enrichment of utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor General Behavior alert for magnify.exe executing as a process with a renamed executable Telemetry showing me magnify.exe executing from utilman.exe | Telemetry General Behavior Enrichment 55 | General Behavior alert for RENAMED CMD.EXE Excerpt from the Managed Defense Report indicating the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell (Specific Behavior) Specific Behavior alert for Accessibility Features Child Process due to magnify.exe spawning whoami.exe (tagged with the correct ATT&CK Technique, T1015 - Accessibility Features, and Tactics, Persistence, Privilege Escalation) Continued details for General Behavior alert for RENAMED CMD.EXE | General Behavior Specific Behavior Specific Behavior-Delayed 147 | Telemetry showing magnify.exe (original name identified as cmd.exe) executing from utilman.exe (tainted by a trace detection on magnify.exe) Specific Behavior alert for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features) | Telemetry-Tainted Specific Behavior 67 | Telemetry showing sequence of magnify.exe executing from utilman.exe Specific Behavior alert on sticky keys binary hijack of magnify.exe | Telemetry Specific Behavior 70 | Telemetry showing magnify.exe executing from utilman.exe | Telemetry 10 | Telemetry showing magnify.exe execution | Telemetry 10 | Telemetry showing magnify.exe execution (identified as Windows Command Processor) | Telemetry 10 |
Technique | Step | Procedures | CarbonBlack | CounterTack | CrowdStrike | Cybereason | Endgame | F-Secure | FireEye | McAfee | Microsoft | PaloAltoNetworks | RSA | SentinelOne |
TOTAL SCORE | 2810 | 1173 | 4467 | 2648 | 2971 | 4240 | 5262 | 2913 | 2601 | 3611 | 775 | 862 |