Saturday, February 23, 2019

MITRE оценила EDR, продолжение

Ранее мы уже пытались сравнивать возможности различных решений на базе теста MITRE, но намедни были опубликованы еще результаты от FireEye и Cybereason. Каждый из вендоров, конечно же, сразу после прохождения теста опубликовал (раз, два), что он самый лучший, что еще больше подстегнуло желание вернуться к теме.

Как раньше отмечалось, баллами за виды детектов можно играться бесконечно, поэтому логику оценки оставил как есть, тем более, что баллы, может быть, не столь уж и важны, по сравнению с возможностью увидеть, так сказать, в одной строчке, какие виды детектов выдает какое решение для конкретной реализации конкретной техники (== процедуры).
В прошлой табличке мне не хватало возможности увидеть сразу и скриншоты интерфейсов, с изображениями соответствующего детекта, а дописать все руки не доходили. В этот раз руки дошли и, на мой взгляд, табличка получилась более удобной.

Напомню, что скриптик, генерящий эту сравнительную табличку из MR-результатов теста доступен на git. Там же лежит и эта табличка в файлике out.html, где ее удобно будет смотреть (здесь, в заметке, она выглядит весьма непривлекательно)

Любопытно, что в этой серии тестов были добавлены новые процедуры, которых не проверялись у предыдущих вендоров - это в табличке выделено фиолетовым цветом с пометкой Not tested




TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Query Registry

Discovery

(T1012)
12.E.1.7Empire: WinEnum module included enumeration of system information via a Registry query

None

0

None

0

Telemetry showing the Get-Sysinfo function

Telemetry

10

None

0

Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo

Enrichment of the enumeration of system information via a Registry query as suspicious (tainted by a parent alert on wscript.exe)

Enrichment-Tainted

Indicator of Compromise

32

None

0

None

0
13.C.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Telemetry showing process tree with reg.exe and command-line arguments

Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry)

Telemetry

Enrichment

25

Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Telemetry from process tree showing reg.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

OverWatch General Behavior alert indicating reg query was suspicious (tainted by previous powershell.exe detection by orange line indicating medium severity)

OverWatch General Behavior alert indicating reg query was suspicious

Email excerpt from the OverWatch team indicating reg query was part of additional malicious discovery activity (General Behavior)

Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed

58

Telemetry showing reg.exe with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Excerpt from the Managed Defense Report indicating reg.exe was a reconnaissance command used (General Behavior)

Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Telemetry showing execution of reg.exe and command-line arguments

Process tree view of suspicious sequence of exploration activities alert showing tainted relationship to reg.exe

Telemetry-Tainted

7

Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry)

Telemetry-Tainted

Enrichment

22

Telemetry showing execution of reg.exe and command-line arguments

Telemetry

10

Telemetry showing execution of reg.exe and command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
2.H.1Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry key

Telemetry from process tree showing reg.exe with command-line arguments

Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)

Telemetry

Enrichment

25

Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (reg query not specifically shown)

Telemetry showing reg with command-line arguments

Email excerpt from the OverWatch team indicating reg query was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing cmd.exe executing reg with command-line arguments

Telemetry within a process tree showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)

Telemetry-Tainted

7

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing reg.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating the attacker queried a registry key that contains system policy configurations (Specific Behavior)

Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about reg

Enrichment

Specific Behavior-Delayed

72

Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query command)

Telemetry showing execution sequence for reg.exe with command-line arguments

Telemetry-Tainted

7

Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)

Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

22

Telemetry showing reg.exe with command-line arguments

Telemetry

10

Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key

Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)

Telemetry from process tree showing reg.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert)

Telemetry-Tainted

7

Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

7

Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)

Event tree view showing tainted powershell.exe with reg.exe child process

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)

Enrichment

15

Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query

Telemetry showing reg.exe executing with command-line arguments

Telemetry-Tainted

7

Telemetry showing powershell.exe executing reg with command-line arguments to check if terminal services were enabled. (tainted by a parent alert on cmd.exe)

Enrichment of reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery).

Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing reg.exe execution

Telemetry

10

Threat story graph showing telemetry of reg.exe executing (tainted by prior lateral movement alert by Group ID)

Telemetry-Tainted

7
6.A.1Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)

Telemetry from process tree showing reg.exe with command-line arguments

Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)

Telemetry

Enrichment

25

Telemetry showing PIPEs created (tainted by the parent \"Powershell process created\" alert)

Telemetry showing reg.exe with command-line arguments (tainted by the parent \"Powershell process created\" alert)

Telemetry-Tainted

7

Telemetry showing reg with command-line arguments

OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection by orange line indicating medium severity)

Telemetry-Tainted

General Behavior-Delayed-Tainted

31

Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)

Telemetry-Tainted

7

Telemetry showing reg with command-line arguments

Event tree view of telemetry showing reg with command-line arguments (tainted by parent Process Injection alert)

Telemetry-Tainted

7

Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)

File Write To Named Pipe alert for write to remote named pipe from reg.exe

Additional details on named pipe alert

Excerpt from the Managed Defense Report with additional details about reg query

Excerpt from Managed Defense Report of the reg command executing a remote registry query (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure message in screenshot not relevant to tested functionality)

Telemetry showing execution sequence for reg.exe with command-line arguments

Telemetry-Tainted

7

Enrichment of the execution of reg.exe as querying a remote key (tainted by a parent process injection alert on cmd.exe)

Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)

Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing reg.exe with command-line arguments

Telemetry

10

Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Command-Line Interface

Execution

(T1059)
2.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.A.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.D.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.D.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.E.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.E.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.F.1Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick 

Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob

Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface)

Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick

Telemetry

Enrichment

25

Telemetry showing wscript.exe execute autoupate.vbs and resulting powershell.exe (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry showing svchost.exe creating cmd.exe and executing autoupdate.vbs as user Kmitnick

Telemetry-Tainted

7

Telemetry showing wscript.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)

Telemetry showing cmd.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)

Telemetry-Tainted

7

Parent alert on Malicious PowerShell Command (Invoke-RunAs)

Telemetry showing cmd.exe executing autoupdate.vbs though wscript.exe (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showing cmd.exe executed as user Kmitnick (tainted by parent PowerShell alert)

Enriched event tree showing enrichment of autoupdate.vbs execution with related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Enrichment showing cmd launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

28

Enrichment of cmd.exe spawning wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)

Telemetry showing cmd.exe executing autoupdate.vbs

Enrichment

Telemetry

25

Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by parent PowerShell alerts)

Parent alert for PowerShell script with suspicious content tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Parent alert for malicious PowerShell cmdlet tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Parent alert for PowerShell with suspicious command-line tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

7

Indicator of Compromise Alert identifying PowerShell Empire using the Runas functionality

Enrichment of wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting).

Telemetry showing cmd.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment

Indicator of Compromise

42

Telemetry showing cmd.exe and executing autoupdate.vbs as user Kmitnick

Telemetry

10

Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story)

Telemetry-Tainted

7
2.F.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.F.3

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.C.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.G.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.G.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.F.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
7.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
8.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
8.A.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.H.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
4.A.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
6.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
4.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
4.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
4.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
System Service Discovery

Discovery

(T1007)
12.D.1Empire: 'net start' via PowerShell

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by parent Script File Created alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating net start was part of basic reconnaissance activity (General Behavior)

Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Services Discovery) and Technique (Discovery)

Process tree showing alerted net.exe with correct ATT&CK Technique (System Service Discovery) (tainted by a parent PowerShell alert)

General Behavior-Tainted

Telemetry

37

Telemetry showing net.exe with command-line arguments

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment

General Behavior-Delayed

42

Process tree view of \"Suspicious sequence of discovery activities\" alert context with net.exe command-line arguments

Telemetry showing execution sequence of powershell.exe executing net.exe with command-line arguments

General Behavior alert description for \"Suspicious sequence of discovery activities\"

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing powershell.exe executing net.exe with command-line arguments (tainted by a parent alert on wscript.exe)

General Behavior alert for net.exe executing as a enumeration command called by a commonly abused causality group owner (CGO, wscript.exe) (tainted by a parent alert on wscript.exe)

Enrichment of net.exe executing as the execution of an enumeration command (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Tainted

46

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Threat story showing initial compromise alert and powershell.exe tainting net.exe

Telemetry-Tainted

7
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal services

Telemetry from process tree showing reg.exe with command-line arguments

Telemetry

10

Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert)

Telemetry-Tainted

7

Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

7

Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry from event tree showing reg.exe

Event tree view showing tainted powershell.exe with reg.exe child process

Telemetry-Tainted

7

Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert)

Telemetry-Tainted

7

Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query

Telemetry showing reg.exe query for terminal server setting

Telemetry-Tainted

7

Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on cmd.exe)

Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).

Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing reg.exe query for terminal server setting

Telemetry

10

Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert by Group ID)

Telemetry-Tainted

7
16.J.1Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)

Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper

Enrichment of sc.exe executing query services with correct ATT&CK Technique (System Service Discovery)

Telemetry

Enrichment

25

Enrichment showing powershell.exe executing sc.exe query AdobeUpdater service on Creeper (enriched with condition SC QC Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert)

Enrichment-Tainted-Configuration Change

9

Email excerpt sent by OverWatch team indicating they observed Bob querying for a service (Specific Behavior)

Telemetry showing sc.exe execution to query the AdobeUpdater service on Creeper process tree view (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Additional details on enrichment of sc.exe with SC Execution alert

Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Enrichment

15

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry from CodeRed showing execution sequence of sc.exe service query for AdobeUpdater on Creeper

Telemetry-Tainted

7

Enrichment of powershell.exe executing sc.exe as enumeration of services via the command line (tainted by a parent alert on wscript.exe)

Telemetry showing powershell.exe executing sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

19

Telemetry showing execution of sc.exe to query the AdobeUpdater service on 10.0.0.4 (Creeper)

Telemetry

10

Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story)

Telemetry-Tainted

7
2.D.2Cobalt Strike: 'net start' via cmd

Enrichment of net.exe with correct ATT&CK Technique (System Service Discovery)

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net start not specifically shown)

Telemetry showing net with command-line arguments

Telemetry-Tainted

7

Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing net with command-line arguments

Enrichment-Tainted

Telemetry

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report with additional details about net

Excerpt from the Managed Defense Report indicating net was used to enumerate current running services (Specific Behavior)

Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing execution sequence for net.exe with command-line arguments

Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments

Telemetry-Tainted

7

Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment-Tainted

19

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.D.1Cobalt Strike: 'sc query' via cmd

Enrichment of sc.exe with correct ATT&CK Technique (System Service Discovery)

Telemetry from process tree showing sc.exe with command-line arguments

Telemetry

Enrichment

25

Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (sc query not specifically shown)

Email excerpt from the OverWatch team indicating sc query was a reconnaissance command (General Behavior)

Telemetry showing sc with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing cmd.exe executing sc with command-line arguments

Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

Telemetry

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing sc.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating sc was used to enumerate current running services (Specific Behavior)

Excerpt from the Managed Defense Report with additional details about sc

Additional details from enrichment of sc.exe

Enrichment

Specific Behavior-Delayed

72

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing sc.exe

Telemetry showing execution sequence for sc.exe with command-line arguments

General Behavior alert on suspicious sequence of exploration activities

Telemetry

General Behavior-Delayed

37

Telemetry showing cmd.exe executing sc with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

7

Telemetry showing sc.exe with command-line arguments

Telemetry

10

Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
12.E.1.8Empire: WinEnum module included enumeration of services

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Services function (does not count as a detection due to manual process of pulling events)

None

0

None

0

Telemetry of execution sequence showing Get-Service invocation

Telemetry

10

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)

Enrichment

15

None

0

None

0
16.H.1Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)

Enrichment of sc.exe executing to query services with correct ATT&CK Technique (System Service Discovery)

Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4)

Telemetry from process tree showing sc.exe execution for the service query

Telemetry

Enrichment

25

Enrichment showing powershell.exe executing sc.exe to query services on Creeper (enriched with condition SC Query Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert)

Enrichment-Tainted-Configuration Change

9

Telemetry from process tree showing sc.exe execution to query services on Creeper (tainted from previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed Bob querying for a service on Creeper (Specific Behavior)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry of sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enrichment of sc.exe execution to query services on Creeper with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)

Telemetry showing sc.exe execution to query services on Creeper

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Additional details on enrichment of sc.exe with SC Execution alert

Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Enrichment

15

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry from CodeRed showing execution sequence of sc.exe service query to Creeper

Telemetry-Tainted

7

Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)

General Behavior alert for the sc utility be used to perform actions of remote services (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

General Behavior-Tainted

Enrichment

49

Telemetry showing execution of sc.exe to query services on 10.0.0.4 (Creeper)

Telemetry

10

Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
File Permissions Modification

Defense Evasion

(T1222)
17.B.1Empire: 'takeown' via PowerShell to obtain ownership of magnify.exe

Enrichment of takeown.exe execution with tag \"Permission modifications\"

Telemetry from process tree showing takeown.exe with command-line arguments

Telemetry

Enrichment-Configuration Change

22

Telemetry showing powershell.exe executing takeown.exe (tainted by the parent \"New Windows service created\" alert)

Telemetry-Tainted

7

Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed takeown.exe executed to bypass Windows logon (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

General Behavior alert for takeown.exe performing activity related to swapping an accessibility features binary (tainted by a parent PowerShell alert)

General Behavior-Tainted

Telemetry

37

Telemetry from event tree showing takeown.exe (tainted by parent alerts on powershell.exe)

Telemetry-Tainted

7

Enrichment of takeown.exe with Takeown Execution alert

Enrichment

15

Telemetry showing takeown.exe execution with magnify.exe in command-line arguments

Process tree view of suspicious PowerShell command-line alert showing tainted relationship to takeown.exe

Telemetry-Tainted

7

Enrichment of takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder (tainted by a parent alert on cmd.exe)

Enrichment of takeown.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).

Telemetry showing powershell.exe executing takeown with command-line arguments (tainted by a parent alert on cmd.exe)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing takeown.exe execution with magnify.exe in command-line arguments

Telemetry

10

Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID)

Enrichment-Tainted

12
17.B.2Empire: 'icacls' via PowerShell to modify the DACL for magnify.exe

Enrichment of icacls.exe execution with tag \"Permission modifications\"

Telemetry from process tree showing icacls.exe with command-line arguments

Telemetry

Enrichment-Configuration Change

22

Telemetry showing powershell.exe executing icacls.exe (tainted by the parent \"New Windows service created\" alert)

Telemetry-Tainted

7

Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed icacls.exe executed to bypass Windows logon (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing icacls.exe executing  with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry from event tree showing icacls.exe (tainted by parent alerts on powershell.exe)

Telemetry-Tainted

7

Enrichment of icacls.exe with Icacls Execution alert

Enrichment

15

Telemetry showing icacls.exe execution with magnify.exe in command-line arguments

Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query

Telemetry-Tainted

7

Telemetry showing powershell.exe executing icacls with command-line arguments (tainted by a parent alert on cmd.exe)

Enrichment of icacls.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).

Telemetry-Tainted

Enrichment

22

Telemetry showing icacls.exe execution with magnify.exe in command-line arguments

Telemetry

10

Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Masquerading

Defense Evasion

(T1036)
19.A.1Empire: File dropped to disk is a renamed copy of the WinRAR binary

Telemetry showing filemod creation of recycler.exe

Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information

Telemetry

10

None

0

Telemetry showing SHA256 hash of recycler.exe

Telemetry

10

Telemetry showing recycler.exe identified as WinRAR via file metadata (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

None

0

Parent alert for PowerShell File Write showing tainting of recycler.exe telemetry

Excerpt from the Managed Defense Report of the attacker placing the WinRAR utility on the system as recycler.exe (Specific Behavior)

Telemetry showing MD5 hash of recycler.exe

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH

Binary reputation and metadata for recycler.exe showing WinRAR information

Telemetry

10

Telemetry showing file create/write and hash values of recycler.exe (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

Telemetry showing file write of recycler.exe with file hashes

Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID

Telemetry-Tainted

7
16.I.1Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)

Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description

Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service

Telemetry

10

Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description

Telemetry-Tainted

7

Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry of sc.exe executions to create and set the description of a new service on Creeper (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts)

Telemetry-Tainted

7

Additional details on enrichment of sc.exe with SC Execution alert

Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with related correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Enrichment

15

Telemetry showing execution sequence of sc.exe AdobeUpdater remote service creation

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

7

Telemetry showed execution of sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing execution of sc.exe to create the AdobeUpdater service and set its description

Telemetry

10

Telemetry showing execution of sc.exe to create the AdobeUpdater service and set the description (partially shown one line above; both tainted by prior threat story)

Telemetry-Tainted

7
19.B.1Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binary

Telemetry showing recycler.exe and command-line arguments with arguments indicating it is WinRAR

Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process

Telemetry

Specific Behavior

70

Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)

Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)

Enrichment-Tainted-Configuration Change

Telemetry-Tainted

16

Specific Behavior alert showing recycler.exe was identified as WinRAR (tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)

Additional alert details showing recycler.exe was signed by win.rar GmbH

Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed

124

Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showing execution of recycler.exe with command-line arguments and creation of old.rar output (tainted by Windows Script Executing PowerShell alert)

Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

64

Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with related ATT&CK Techniques, T1022 - Data Encrypted and T1002 - Data Compressed)

Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

General Behavior alert for Execution from Suspicious Directory

General Behavior alert for File Write To Root Of Recycle Bin

Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)

General Behavior

Enrichment

Enrichment

General Behavior

Enrichment

Specific Behavior-Delayed

162

Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression indicating it is WinRAR

Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)

Telemetry-Tainted

7

Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)

Enrichment of recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading)

Telemetry-Tainted

Enrichment

22

Telemetry showing execution of recycler.exe with command-line arguments indicating it is WinRAR

Telemetry

10

Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID

Enrichment showing the execution of recycler.exe with process name identified as \"Command line RAR\"

Enrichment-Tainted

12
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Service Execution

Execution

(T1035)
16.L.1Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)

Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on Creeper

Telemetry

10

Telemetry showing powershell.exe executing sc.exe start AdobeUpdater service on Creeper (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry showing AdobeUpdater service starting on Creeper (tainted by the parent \"\"New Windows service created\"\" alert)

Telemetry-Tainted

7

Email excerpt sent by OverWatch team indicating they observed execution of update.vbs following the AdobeUpdater service start (Specific Behavior)

Telemetry showing sc start in the process tree view (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing cmd.exe executing update.vbs

Telemetry showing sc.exe executing the service (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Specific Behavior alert \"Service Command Lateral Movement\" for the start of AdobeUpdater service on Creeper tagged with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution)

Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior

76

Excerpt from the Managed Defense Report showing sc.exe starting the adobeupdater service (Specific Behavior)

Enrichment of sc.exe with an alert for SC Execution (tagged with related ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)

Enrichment

Specific Behavior-Delayed

72

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry showing service execution on Creeper and new Empire connection to www.freegoogleadsenseinfo.com (C2 domain) (C2 alert rule for BORON domain was added by the vendor earlier in Step 11)

Specific Behavior alert showing successful remote AdobeUpdater service execution attempt from CodeRed to Creeper

Telemetry from CodeRed showing execution sequence of sc.exe service start for AdobeUpdater on Creeper

Telemetry-Tainted

Specific Behavior

67

Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution)

Telemetry showing cmd.exe executing update.vbs on 10.0.0.4 (Creeper)

Telemetry-Tainted

Enrichment

22

Telemetry showing the execution of update.vbs on 10.0.0.4 (Creeper)

Telemetry showing the execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper)

Telemetry

10

Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story)

Lateral movement alert generated by the remote service start on Creeper

Telemetry-Tainted

General Behavior

37
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
System Owner/User Discovery

Discovery

(T1033)
2.B.1Cobalt Strike: 'echo' via cmd to enumerate specific environment variables

Telemetry from process tree showing echo with command-line arguments

Telemetry

10

Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (echo not specifically shown)

Email excerpt from the OverWatch team indicating echo was a reconnaissance command (General Behavior)

Telemetry showing echo with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert)

Telemetry-Tainted

7

Telemetry showing echo with command-line arguments (tainted by parent Malicious File Detection)

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report with additional details about echo

Excerpt from the Managed Defense Report indicating echo was used to enumerate the current username (Specific Behavior)

Telemetry showing echo with command-line arguments

Telemetry

Specific Behavior-Delayed

67

Telemetry showing execution sequence for echo with command-line arguments

Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo command

Telemetry-Tainted

7

Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery)

Telemetry-Tainted

Enrichment

22

Telemetry showing echo with command-line arguments

Telemetry

10

Telemetry showing echo with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
20.B.1Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)

Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)

Telemetry from process tree with telemetry showing whoami.exe execution

Telemetry

Enrichment

25

Telemetry showing magnify.exe executing whoami.exe (tainted by the parent POS Interactive Login Event alert)

Telemetry-Tainted

7

Telemetry from process tree showing magnify.exe child process whoami.exe (tainted by pink line indicating critical severity)

Telemetry-Tainted

7

Specific Behavior alert for whoami.exe execution with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent Accessibility Features alert)

Specific Behavior-Tainted

Telemetry

67

Telemetry from event tree showing execution of whoami.exe (tainted by parent alert on magnify.exe)

Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Telemetry showing whoami.exe executing as a child process of magnify.exe (tainted by parent Accessibility Features Child Process alert)

Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)

Telemetry-Tainted

Enrichment

22

Execution sequence showing whoami.exe executing from magnify.exe

Process tree view of sticky keys binary hijack alert showing tainted relationship to whoami.exe

Telemetry-Tainted

7

Telemetry showing magnify.exe executing whoami.exe

Enrichment of whoami.exe executing as an enumeration command

Telemetry

Enrichment

25

Telemetry showing whoami.exe execution

Telemetry

10

Enrichment of whoami command (displays logged on user information)

Enrichment

15
12.B.1Empire: 'whoami /all /fo list' via PowerShell

Telemetry from process tree showing whoami.exe with command-line arguments

Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)

Telemetry

Enrichment

25

Enrichment of whoami.exe with condition Whoami Reconnaissance Command (tainted by parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Email excerpt from the OverWatch team indicating whoami was part of basic reconnaissance activity (General Behavior)

OverWatch General Behavior alert and telemetry indicating whoami.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)

General Behavior-Delayed-Tainted

Telemetry

General Behavior-Delayed

61

Enrichment of whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent PowerShell alert)

Enrichment of whoami.exe executing with labels for Reconnaissance and Accounts discovery

Enrichment-Tainted

Telemetry

22

Telemetry showing whoami.exe with command-line arguments

Enriched event tree showing enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating whoami.exe was a reconnaissance command used (General Behavior)

Enrichment

General Behavior-Delayed

42

Telemetry showing execution sequence of powershell.exe executing whoami.exe with command-line arguments

Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process

Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

7

Telemetry showing powershell.exe executing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing whoami.exe with command-line arguments

Telemetry

10

Telemetry showing whoami.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Continued threat story showing initial compromise alert and powershell.exe tainting whoami.exe

Telemetry-Tainted

7
12.E.1.1Empire: WinEnum module included enumeration of user information

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Get-UserInfo function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Indicator of Compromise alert identifying suspicious PowerShell strings as Empire UserInfo

Indicator of Compromise

20

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Standard Cryptographic Protocol

Command and Control

(T1032)
11.B.1Empire: Encrypted C2 channel established using HTTPS

Telemetry showing modloads and certificate check

Telemetry

10

Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (tainted by a parent PowerShell alert)

Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)

Telemetry showing connection to letsencrypt.org

Telemetry-Tainted

7

Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)

General Behavior-Delayed

27

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel

Telemetry within alert showing decoded command-line arguments containing HTTPS

Telemetry-Tainted

7

None

0

Telemetry showing network connections, including over port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Password Policy Discovery

Discovery

(T1201)
12.E.1.3Empire: WinEnum module included enumeration of password policy information

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Password Last Changed function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
System Network Configuration Discovery

Discovery

(T1016)
12.A.2Empire: 'ipconfig /all' via PowerShell

Telemetry from process tree showing ipconfig.exe with command-line arguments

Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery)

Telemetry

Enrichment

25

Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Email excerpt from the OverWatch team indicating ipconfig was part of basic reconnaissance activity (General Behavior)

Telemetry from process tree showing ipconfig.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of ipconfig.exe executing with correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Telemetry showing ipconfig.exe with command-line arguments

Event tree view of telemetry showing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts)

Telemetry-Tainted

7

Excerpt from the Managed Defense Report indicating ipconfig.exe was a reconnaissance command used (General Behavior)

Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process

Telemetry showing execution sequence of powershell.exe executing ipconfig.exe with command-line arguments

Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

7

Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

Telemetry showing powershell.exe executing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment

22

Telemetry showing ipconfig.exe with command-line arguments

Telemetry

10

Telemetry showing ipconfig.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Threat story showing initial compromise alert and powershell.exe tainting ipconfig.exe

Telemetry-Tainted

7
4.B.1Cobalt Strike: 'netsh advfirewall show allprofiles' via cmd

Telemetry from process tree showing netsh.exe with command-line arguments

Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon

Telemetry

Enrichment

25

Telemetry showing netsh.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)

Telemetry-Tainted

7

OverWatch General Behavior alert indicating netsh execution by cmd.exe was suspicious

Email excerpt from the OverWatch team indicating netsh was a reconnaissance command (General Behavior)

General Behavior-Delayed

Telemetry

General Behavior-Delayed

64

Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

Telemetry

22

Telemetry from event tree showing netsh with command-line arguments

Telemetry

10

Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, and correct Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about netsh

Excerpt from the Managed Defense Report indicating netsh was used to obtain network configuration and the configuration profile of the Windows Firewall (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing execution sequence for netsh.exe with command-line arguments

Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netsh.exe command not shown)

Telemetry-Tainted

7

Enrichment of netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

Telemetry showing cmd.exe executing netsh with command-line arguments

Telemetry

Enrichment

25

Telemetry showing netsh.exe with command-line arguments

Telemetry

10

Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
12.A.1Empire: 'route print' via PowerShell

Telemetry from process tree showing route.exe with command-line arguments

Telemetry

10

Enrichment of route.exe with conditions Reconnaissance Tool and Route Spawned with Reconnaissance (tainted by the parent Script File Created alert)

Enrichment-Tainted

12

Email excerpt from the OverWatch team indicating route print was part of basic reconnaissance activity (General Behavior)

Telemetry from process tree showing route.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing route.exe executing with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showing route.exe with command-line arguments

Event tree view of telemetry showing route.exe with command-line arguments (tainted by parent PowerShell alerts)

Telemetry-Tainted

7

Excerpt from the Managed Defense Report indicating route.exe was a reconnaissance command used (General Behavior)

Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process

Telemetry showing execution sequence of powershell.exe executing route.exe with command-line arguments

Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

7

Telemetry showing powershell.exe executing route.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

Telemetry-Tainted

Enrichment

22

Telemetry showing route.exe with command-line arguments

Telemetry

10

Telemetry showing route.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Continued threat story showing initial compromise alert and powershell.exe tainting route.exe

Threat story showing partial tree of activity from the initial compromise alert

Telemetry-Tainted

7
2.A.2Cobalt Strike: 'arp -a' via cmd

Enrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery)

Telemetry from process tree showing arp.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (arp not specifically shown)

Telemetry showing arp with command-line arguments

Email excerpt from the OverWatch team indicating arp was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing arp.exe executing within the process tree (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing arp with command-line arguments

Telemetry showing cmd.exe executing arp with command-line arguments

Telemetry-Tainted

7

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing arp.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating arp.exe was used to enumerate the network configuration of Nimda (Specific Behavior)

Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about arp.exe execution

Enrichment

Specific Behavior-Delayed

72

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe

General Behavior alert on suspicious sequence of exploration activities

Telemetry showing execution sequence for arp.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Telemetry showing cmd.exe executing arp with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment the execution of arp.exe as possible reconnaissance (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

Enrichment of the execution of arp.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

34

Telemetry showing arp.exe with command-line arguments

Telemetry

10

Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.A.1Cobalt Strike: 'ipconfig /all' via cmd

Telemetry from process tree showing ipconfig.exe with command-line arguments

Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery)

Telemetry

Enrichment

25

Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (ipconfig not specifically shown)

Telemetry showing ipconfig with command-line arguments

Email excerpt from the OverWatch team indicating ipconfig was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of ipconfig.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing ipconfig with command-line arguments

Enrichment-Tainted

Telemetry

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Unusual Child Processes of RunDLL32 General Behavior alert caused by ipconfig.exe (tainted by parent Malicious File Detection)

Telemetry showing ipconfig.exe with command-line arguments (tainted by parent Malicious File Detection)

General Behavior-Tainted

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

55

Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution

Excerpt from the Managed Defense Report indicating ipconfig.exe was used to enumerate the network configuration of Nimda (Specific Behavior)

Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)

Enrichment

Specific Behavior-Delayed

72

Process tree view of General Behavior alert on suspicious sequence of discovery techniques

General Behavior alert on suspicious sequence of discovery techniques

Telemetry showing execution sequence for ipconfig.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)

Enrichment of the execution of ipconfig.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing cmd.exe executing ipconfig with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

General Behavior alert for a commonly abused process (cmd.exe) spawning out of rundll32.exe (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

General Behavior-Tainted

61

Telemetry showing ipconfig.exe with command-line arguments

Telemetry

10

Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
12.E.1.11Empire: WinEnum module included enumeration of network adapters

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Network Adapters function (does not count as a detection due to manual process of pulling events)

None

0

None

0

Telemetry of execution sequence showing Get-NetInfo invocation

Telemetry

10

Indicator of Compromise alert identifying suspicious PowerShell strings as Empire NetInfo

Indicator of Compromise

20

None

0

Additional telemetry showing powershell.exe WMI queries for network adapter and configuration information

Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
User Execution

Execution

(T1204)
1.A.1Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)

Telemetry from process tree showing Resume Viewer.exe execution sequence

General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application

Telemetry

General Behavior

40

Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as malicious

General Behavior

Telemetry

40

General Behavior alert for explorer.exe executing Resume Viewer.exe, identified as a known malicious file

General Behavior alert identifying Resume Viewer.exe as unknown malware

Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe)

General Behavior

General Behavior

Telemetry-Tainted

67

Event tree view showing Malicious File Detection General Behavior alert on Resume Viewer.exe execution

Malicious File Detection General Behavior alert on Resume Viewer.exe execution and surrounding telemetry

General Behavior

Telemetry-Tainted

37

Telemetry showing Resume Viewer.exe being executed by explorer.exe

General Behavior alert showing Resume Viewer.exe labeled as Malware (alert triggered after configuration change)

General Behavior-Configuration Change

Telemetry

37

Exploit Guard audit of Resume Viewer.exe

Telemetry showing execution of pdfhelper.cmd and update.dat

Telemetry showing execution of decoy PDF by MicrosoftPdfReader.exe

Telemetry showing Resume Viewer.exe binary and process metadata

Telemetry showing Resume Viewer.exe binary reputation

Telemetry showing execution of Resume Viewer.exe from explorer.exe and dropping pdfhelper.cmd and autoupdate.bat

Telemetry showing write of pdfhelper.cmd

Telemetry showing write of autoupdate.bat

Telemetry

10

Telemetry showing Resume Viewer.exe running as a process

Telemetry

10

Telemetry showing Resume Viewer.exe execution

Telemetry

10

Telemetry from process tree showing execution of Resume Viewer.exe

General Behavior alert for execution of Resume Viewer.exe as a suspicious file

Telemetry

General Behavior

40
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Data from Network Shared Drive

collection

(T1039)
18.B.1Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

None

0

Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry-Tainted

7

None

0

None

0

None

0

None

0

Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)

None

0

Telemetry showing a file event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) (tainted by a parent alert on wscript.exe)

Specific Behavior alert for a script engine reading files from network locations (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Specific Behavior-Tainted

64

None

0

Exported telemetry of threat story (taints event) showing .vsdx file copy from network shared drive on Conficker

Telemetry-Tainted

7
9.B.1Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

None

0

None

0

None

0

Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)

None

0

Telemetry showing .vsdx file creation, but no indication of network shared drive (does not count as a detection)

None

0

None

0

None

0

Telemetry showing a file read event for the .vsdx file from the network shared drive

Telemetry

10

None

0

Telemetry showing .vsdx file access from WormShare on the network shared drive

Telemetry

10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Process Injection

Defense Evasion, Privilege Escalation

(T1055)
3.C.1Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exe

Telemetry showing CreateRemoteThread API call used for thread injection into cmd.exe

Telemetry showing open handles and thread injection into cmd.exe

Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection)

Telemetry

Specific Behavior

70

Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the parent \"Powershell process created\" alert)

Specific Behavior-Tainted

57

Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity)

Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as well as OverWatch General Behavior alert identifying behavior as suspicious

Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted

91

Specific Behavior alert for powershell.exe injecting into cmd.exe

Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process Injection) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

57

Specific Behavior alert for process injection into cmd.exe

Specific Behavior

60

Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cmd.exe

Excerpt from the Managed Defense Report identifying a process injection from PowerShell.exe to cmd.exe (Specific Behavior)

Specific Behavior-Delayed

57

Telemetry showing process injection activity audited by Exploit Guard

Enrichment of powershell.exe injecting into cmd.exe

Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe (subsequent powershell.exe is the injecting process)

Specific Behavior alert showing powershell.exe process injection

Enrichment-Tainted

Specific Behavior-Delayed

69

Specific Behavior alert for PowerShell injecting shellcode (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Specific Behavior-Tainted

57

Telemetry showing powershell.exe creating a remote thread into cmd.exe

Telemetry

10

Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view)

Telemetry-Tainted

7
8.D.1Cobalt Strike: Screen capture capability involved process injection into explorer.exe

Telemetry showing \"open handle\" crossproc on explorer.exe by the process

Telemetry

10

Telemetry showing remote thread being created into explorer.exe

Telemetry

10

Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890)

Telemetry

10

Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)

Specific Behavior alert for process injection explorer.exe rolled into chain of injections

Specific Behavior

60

Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious File Detection and process injection alerts and labeled with the correct ATT&CK Technique, Process Injection, and Tactics, Defense Evasion and Execution)

Specific Behavior-Tainted

57

None

0

Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled \"Inject to process\")

Enrichment

15

Enrichment of cmd.exe injecting into explorer.exe as code injection via CreateThread

Enrichment

15

Floating Code module generated from DLL injection showing introspection into the module's characteristics (does not count as a detection)

None

0

Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view)

Telemetry-Tainted

7
5.A.1Cobalt Strike: Credential dump capability involved process injection into lsass

Telemetry showing cross process events, specifically a handle to open thread into lsass.exe

Telemetry

10

General Behavior alert showing DDNA Scan for svchost.exe

General Behavior alert additional details on DDNA Scan for svchost.exe, including that it appears to inject code into another process

General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process

General Behavior

30

Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected events

Enrichment

15

Specific Behavior alert with correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation)

Data within alert showing loaded powerkatz.dll as floating executable code

Specific Behavior

60

Telemetry showing process accesses into lsass.exe

Telemetry

10

None

0

Alert on credential dump showing injecting svchost.exe process (process with syringe) that was used to access lsass.exe

Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe

Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)

Telemetry-Tainted

Specific Behavior-Delayed

64

A Specific Behavior alert for a suspicious handle being opened to lsass.exe, tagged with a related ATT&CK Technique (Credential Dumping)

Specific Behavior

60

None

0

None

0
5.A.2Cobalt Strike: Hash dump capability involved process injection into lsass.exe

Specific Behavior alert showing correct ATT&CK Technique (Process Injection)

Alert showing correct ATT&CK Technique (Process Injection) within process tree

Telemetry showing cross process events, specifically a new thread and open handle into lsass.exe

Telemetry

Specific Behavior

70

Specific Behavior alert showing process hijacking detection for lsass.exe thread create (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts)

General Behavior alert showing DDNA Scan for svchost.exe

General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process

Specific Behavior-Tainted

General Behavior

87

Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode events

Enrichment

15

Specific Behavior alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection

Details of Specific Behavior alert for svchost.exe process injection into lsass.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)

Data within alert showing loaded hashdumpx64.dll as floating executable code

Specific Behavior

60

Telemetry showing process injection into lsass.exe (tainted by parent Process Injection alert)

Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection)

Telemetry-Tainted

Specific Behavior

67

None

0

Alert on prior credential dump tainting svchost.exe process (process with syringe indicating process injection) that was used to access lsass.exe

Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe

Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

7

None

0

Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Remote System Discovery

Discovery

(T1018)
13.A.1Empire: 'net group "Domain Computers" /domain' via PowerShell

Enrichment of net.exe with related ATT&CK Technique (Account Discovery)

Telemetry showing process tree with net.exe and command-line arguments

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net Group Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Delayed

46

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Remote System Discovery) and Technique (Discovery)

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior-Tainted

Telemetry

37

Telemetry from event tree showing with net.exe with command-line arguments (tainted by parent alert)

Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) (tainted by parent alert)

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment

General Behavior-Delayed

42

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Telemetry showing execution of net.exe with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

19

Telemetry showing execution of net.exe and command-line arguments

Telemetry

10

Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
4.A.1Cobalt Strike: 'net group "Domain Controllers" /domain' via cmd

Enrichment of net.exe with related ATT&CK technique (Account Discovery)

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)

Enrichment-Tainted-Configuration Change

9

OverWatch General Behavior alert for net group

Additional process tree view showing net.exe enrichment

Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)

Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Enrichment

Telemetry

General Behavior-Delayed

General Behavior-Delayed

79

Telemetry showing net.exe executing with command-line arguments

General Behavior alert for net.exe executing as part of a suspicious execution chain

Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)

Telemetry from event tree showing net with command-line arguments

Telemetry

Enrichment-Delayed

22

Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)

Excerpt from the Managed Defense Report with additional details about net group

Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Telemetry showing execution sequence for net.exe with command-line arguments

Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)

Telemetry-Tainted

7

Telemetry showing cmd.exe executing net with command-line arguments

Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1

Enrichment of the execution of net.exe as the execution of an enumeration command

Enrichment of cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery)

Telemetry

Enrichment

Enrichment

Enrichment

55

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
4.A.2Cobalt Strike: 'net group "Domain Computers" /domain' via cmd

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with related ATT&CK technique (Account Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)

Enrichment-Tainted-Configuration Change

9

Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)

Additional process tree view showing net.exe enrichment

OverWatch General Behavior alert for net group

Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Enrichment

Telemetry

General Behavior-Delayed

General Behavior-Delayed

79

Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)

Telemetry showing net.exe executing with command-line arguments

General Behavior alert for net.exe executing as part of a suspicious execution chain

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net group command mapped to related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)

Telemetry from event tree showing net with command-line arguments

Telemetry

Enrichment-Delayed

22

Excerpt from the Managed Defense Report with additional details about net group

Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)

Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)

Enrichment

General Behavior-Delayed

42

Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)

Telemetry showing execution sequence for net.exe with command-line arguments

Telemetry-Tainted

7

Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1

Telemetry showing cmd.exe executing net with command-line arguments

Telemetry

Enrichment

25

Telemetry showing net.exe with command-line arguments

Telemetry

10

Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious)

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Standard Application Layer Protocol

Command and Control

(T1071)
6.B.1Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.com

Telemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol)

Telemetry showing modloads showing winhttp.dll loaded

Telemetry

10

Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain)

Telemetry

10

None

0

Enrichment of rundll32.exe making an unusual network connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol) (tainted by a parent Injected Shellcode alert)

Enrichment of rundll32.exe showing connection over port 80 and the amount of transmitted/received bytes (tainted by a parent Injected Shellcode alert)

Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

12

None

0

Excerpt from the Managed Defense Report identifying C2 traffic communicating over HTTP to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)

Telemetry showing HTTP GET requests to 192.168.0.4 (C2 server)

Telemetry

General Behavior-Delayed

37

None

0

Telemetry showing port 80 command and control traffic as well as the loading of winhttp.dll

Telemetry

10

None

0

None

0
1.C.1Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.com

None

0

Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe

Telemetry

10

Email excerpt from the OverWatch team indicating they observed suspected command and control or data exfiltration via DNS (Specific Behavior)

Telemetry showing DNS requests

Specific Behavior alert showing abnormally large DNS requests mapped to related ATT&CK Technique, Exfiltration Over Alternative Protocol, and Tactic, Exfiltration) and OverWatch General Behavior alert indicating that traffic was suspicious

Specific Behavior

General Behavior-Delayed

Telemetry

Specific Behavior-Delayed

154

Telemetry showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Process tree showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Telemetry-Tainted

7

Telemetry showing DNS connections

Telemetry showing DNS requests from rundll32.exe (tainted by parent Malicious File Detection alert)

Telemetry-Tainted

7

Indicator of Compromise alert for DNS lookups (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)

Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior)

Indicator of Compromise

Specific Behavior-Delayed

77

Telemetry showing DNS requests to the C2 domain (custom query)

Telemetry-Configuration Change

7

None

0

None

0

Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story)

Telemetry-Tainted

7
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTP

None

0

Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry-Tainted

7

Decoded PowerShell (outside of capability) showing download request over HTTP (does not count as a detection)

Telemetry showing encoded PowerShell command that decodes to show HTTP traffic (does not count as a detection)

None

0

Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080

Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

57

Telemetry showing decoded PowerShell with download request of wdbypass over port 8080

Telemetry

10

Enrichment of HTTP GET request with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)

Enrichment

15

Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments

Telemetry-Tainted

7

Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)

None

0

Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)

None

0

None

0
11.B.1Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.com

Telemetry showing modloads and certificate check

Telemetry

10

Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (does not count as a detection)

Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)

Telemetry showing connection to letsencrypt.org

Telemetry-Tainted

7

Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)

General Behavior-Delayed

27

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel

Alert for C2 domain indicator of compromise 

Telemetry within alert showing decoded command-line arguments containing HTTPS

Telemetry-Tainted

Indicator of Compromise-Configuration Change

24

None

0

Telemetry showing network connections, including over port 443

Telemetry

10

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Network Share Discovery

Discovery

(T1135)
12.E.1.9.2Empire: WinEnum module included enumeration of mapped network drives

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Mapped Network Drives function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)

Enrichment

15

None

0

Additional telemetry showing powershell.exe WMI queries for logical disk information

Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
12.E.1.9.1Empire: WinEnum module included enumeration of available shares

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Available Shares function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)

Enrichment

15

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Data Encoding

Command and Control

(T1132)
1.C.1Cobalt Strike: C2 channel established using both NetBIOS and base64 encoding

None

0

None

0

Telemetry within an alert showing encoded DNS requests (tainted by parent Exfiltration alert)

Telemetry-Tainted

7

Telemetry showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)

Telemetry-Tainted

7

None

0

Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert)

Telemetry-Tainted

7

None

0

None

0

None

0

Telemetry showing stream of DNS requests with encoded data

Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Remote Desktop Protocol

Lateral Movement

(T1076)
20.A.1RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanism

None

0

Telemetry showing connection to Creeper (10.0.0.4) on port 3389

Telemetry

10

Telemetry showing logon type 10 (remote interactive logon) for Kmitnick on Creeper

Telemetry

10

Telemetry of connection to port 3389 on Creeper (10.0.0.4)

Enrichment of RDP connection to Creeper (10.0.0.4) identified as using RDP Port and related ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port, Standard Application Layer Protocol)

Enrichment

Telemetry

25

Telemetry showing connection to Creeper (10.0.0.4) on port 3389

Telemetry

10

Enrichment of TCP port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique T10176 - Remote Desktop Protocol, and Tactic, Lateral Movement)

Excerpt from the Managed Defense Report indicating Remote Desktop Protocol was used to connect to Creeper (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing svchost.exe starting terminal service session on Creeper from CodeRed (10.0.1.5)

Telemetry showing Kmitnick RDP logon from CodeRed to Creeper

Telemetry

10

Telemetry showing an inbound connection to Creeper (10.0.0.4) on port 3389

Telemetry

10

None

0

None

0
6.C.1Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)

Telemetry showing rdpclip.exe running

Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker)

Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol)

Telemetry

Enrichment

25

Enrichment of outbound TCP port 3389 (RDP) connection with Lateral Movement and Remote Share Access (tainted by parent \"Windows command prompt invoked\" alert)

Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker)

Enrichment-Tainted-Configuration Change

Telemetry

19

Telemetry showing logon type 10 (interactive remote login) as user George@shockwave on 10.0.0.5 (Conficker)

Telemetry showing a network connection to 10.0.0.5 (Conficker) over TCP port 3389

Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)

Telemetry

General Behavior-Delayed

37

Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent Injected Shellcode alert, listed as Owner process)

Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type

Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker)

Telemetry-Tainted

7

Telemetry showing Type 10 (interactive remote) login event by user George on Conficker

Event tree view of telemetry showing port 3389 connection to 10.0.0.5 (Conficker) (tainted by parent Process Injection alert)

Telemetry-Tainted

7

Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)

Enrichment

15

Graph showing movement from Debbie account to George

Telemetry showing execution sequence for cmd.exe connection over RDP to 10.0.0.5 (Conficker)

Telemetry showing user logon activity on 10.0.0.5 (Conficker) showing George with a logon type 10 RemoteInteractive logon event

Telemetry showing execution sequence on 10.0.0.5 (Conficker) showing George logon

Telemetry

10

Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent process injection alert on cmd.exe)

General Behavior alert for an unexpected process using the RDP port (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

General Behavior-Tainted

34

Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker)

Telemetry

10

Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID)

Telemetry-Tainted

7
10.B.1RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanism

Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)

Telemetry from process tree showing rdpclip.exe running as user Jesse

Telemetry

Enrichment

25

Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (tainted by the parent \"Windows command prompt invoked\" alert)

Enrichment-Tainted-Configuration Change

9

Telemetry showing user logon by Jesse to Conficker with type 10 (interactive logon)

Telemetry showing logged-on user activity, including the use of rdpclip.exe

Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)

Telemetry

General Behavior-Delayed

37

Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (tainted by a parent Injected Shellcode alert)

Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type

Telemetry showing a TCP port 3389 connection to Conficker (10.0.0.5)

Telemetry-Tainted

7

Telemetry showing remote connections over port 3389 to 10.0.0.5 (Conficker)

Telemetry showing Type 10 (interactive) logon for Jesse

Telemetry

10

Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker

Excerpt from Managed Defense Report indicating account Jesse was used to logon via Remote Desktop Protocol (Specific Behavior)

Enrichment of port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)

Enrichment

Telemetry

Specific Behavior-Delayed

82

Telemetry showing successful port 3389 connection to Conficker (10.0.0.5)

Telemetry

10

Enrichment of the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol)

Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389

Telemetry

Enrichment

25

None

0

Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID)

Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Scheduled Task

Execution, Persistence, Privilege Escalation

(T1053)
10.A.2Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32

Telemetry from process tree showing updater.dll executed by rundll32.exe

Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" arguments

Telemetry

10

Telemetry showing svchost.exe executing rundll32.exe (tainted by parent \"Sponsor process started V2\" alert)

Telemetry-Tainted

7

Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert)

Telemetry-Tainted

7

Telemetry showing rundll32.exe executing update.dat (tainted by a parent Injected Shellcode alert)

Parent alert for Injected shellcode into rundll32.exe

Telemetry-Tainted

7

Telemetry showing rundll32.exe executing updater.dll (tainted by Malicious File Detection alert)

Telemetry showing rundll32.exe executing updater.dll (tainted by Process Injection alert)

Telemetry-Tainted

7

Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll32.exe (Specific Behavior)

Parent Rundll32 Execution alert that tainted updater.dll telemetry (tagged with related ATT&CK Technique, T1085 - Rundll32, and Tactic, Defense Evasion, Execution; does not include specific Scheduled Task information)

Telemetry showing rundll32.exe executing updater.dll

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" arguments

Telemetry

10

Telemetry showing rundll32.exe executing updater.dll

Telemetry showing svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule"

Telemetry

10

Telemetry showing rundll32.exe executing updater.dll

Telemetry

10

Telemetry showing rundll32.exe executing updater.dll

Group ID query showing both autoupdate.bat and updater.dll persistence execution

Telemetry

10
7.C.1Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)

Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task)

Telemetry showing process tree containing schtasks.exe and full command a task creation

Telemetry

Specific Behavior

70

Specific Behavior alert on \"Schtasks with create command\" for schtasks.exe run from cmd.exe

Specific Behavior

Telemetry

70

Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior)

Telemetry showing creation of the scheduled task

General Behavior alert from OverWatch indicating scheduled task creation was suspicious (tainted by previous cmd.exe detection by orange line indicating medium severity)

Telemetry

General Behavior-Delayed-Tainted

Specific Behavior-Delayed

91

Telemetry showing the Resume Viewer Update Checker scheduled task

Enrichment of schtasks.exe with the correct ATT&CK Tactic (Persistence)

Enrichment

Telemetry

25

Specific Behavior alert for scheduled task creation mapped to correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert)

Enriched event tree showing enrichment of scheduled task with correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)

Enrichment of scheduled task from persistence hunt

Enrichment

Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior-Tainted

88

Excerpt from the Managed Defense Report indicating updater.dll persisted through a scheduled task (Specific Behavior)

Excerpt from the Managed Defense Report with additional details about schtask

Enrichment of schtasks.exe with Scheduled Task Activity alert (tagged with correct ATT&CK Technique, T1053 - Scheduled Task, and Tactic, Execution, Persistence, Privilege Escalation)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence

Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task

Telemetry

Specific Behavior-Delayed

67

Enrichment of schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task)

Telemetry showing schtasks.exe creating the scheduled task (tainted by a parent process injection alert on cmd.exe)

Specific Behavior alert for a commonly abused host process scheduling a task (tainted by a parent process injection alert on cmd.exe)

Specific Behavior alert for the creation of a new scheduled task (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

Specific Behavior-Tainted

Specific Behavior-Tainted

Enrichment

136

Telemetry showing the schtask.exe and command-line arguments

Telemetry

10

Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Data Staged

collection

(T1074)
18.B.1Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)

Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct ATT&CK Technique, T1074 - Data Staged)

Telemetry showing creation of the .vsdx file in the Recycle Bin

Telemetry

Specific Behavior

70

Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry-Tainted

7

Email excerpt sent by OverWatch team indicating they observed the .vsdx file being copied to Recycle Bin for staging (Specific Behavior)

Telemetry showing the .vsdx being written into the Recycle Bin (event_SimpleName of OoxmlFileWritten)

Telemetry

Specific Behavior-Delayed

67

Telemetry of file create/write of vsdx (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry showing the file creation of the .vsdx file in the Recycle Bin

Event tree showing creation of the .vsdx file (tainted by parent alerts on powershell.exe)

Telemetry-Tainted

7

Specific Behavior alert for File Write to Root of Recycle Bin

Additional telemetry showing file write of .vsdx with PowerShell File Write alert

Telemetry showing powershell.exe file write of .vsdx to the Recycle Bin with PowerShell File Write alert

Telemetry-Tainted

Specific Behavior

67

Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)

None

0

Telemetry showing file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

Exported telemetry of threat story (taints event) showing .vsdx file copy and write

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Application Window Discovery

Discovery

(T1010)
8.C.1Cobalt Strike: Keylogging capability included residual enumeration of application windows

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
15.A.1Empire: Built-in keylogging module included residual enumeration of application windows

None

0

None

0

Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow

Telemetry

10

None

0

None

0

None

0

None

0

Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow

Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window

Telemetry

Indicator of Compromise

30

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

(T1078)
16.B.1Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user Kmitnick

Telemetry showing process tree with five different net.exe logon attempts, including a success

Telemetry showing successful logon via net.exe

Telemetry

10

Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)

Telemetry from process tree showing successful net.exe connection using valid credentials of Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)

Telemetry-Tainted

General Behavior-Delayed-Tainted

31

Enrichment of a logon attempt via net.exe using the valid credentials of user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Enrichment of successful net.exe connection (tainted by parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

28

Enrichment of net.exe logon attempt by Kmitnick with Net Use Command Execution alert

Telemetry showing successful logon of user Kmitnick

Enrichment

Telemetry

25

Telemetry showing 10.0.1.5 (CodeRed) system accessed resources on 10.0.0.5 (Conficker)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Telemetry showing user Kmitnick login activity on 10.0.0.5 (Conficker)

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

7

Enrichment of an lsass.exe event with the correct ATT&CK Technique (Valid Accounts).

Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)

Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment

22

Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick

Telemetry

10

Telemetry showing net.exe logon attempts, the last of which using valid credentials for user Kmitnick (tainted by relationship to threat story)

Telemetry showing net.exe logon attempts and corresponding exit codes

Telemetry-Tainted

7
10.B.1RDP connection to Conficker (10.0.0.5) authenticated using previously added user Jesse

Enrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)

Telemetry from process tree showing rdpclip.exe running as user Jesse

Telemetry

Enrichment

25

Telemetry showing explorer.exe running as Jesse

Telemetry

10

Telemetry showing user logon by Jesse to Conficker

Telemetry

10

Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type

Telemetry

10

Telemetry showing userinit.exe running as Jesse (tainted by parent \"Start Folder Persistence\" alert)

Telemetry-Tainted

7

Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specific Behavior)

Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker

Telemetry

Specific Behavior-Delayed

67

Telemetry showing local user account Jesse first and last seen logons on Conficker

Telemetry

10

Telemetry showing userinit.exe as well as explorer.exe spawn as the user Jesse

Telemetry

10

Telemetry showing \"unregmp2.exe /FirstLogon\" (associated with user logon)

Telemetry showing user name \"Jesse J\" within Machine Properties

Telemetry

10

Telemetry showing last logged on user identified as Jesse

Telemetry

10
16.D.1Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user Kmitnick

Telemetry showing process tree with logon using valid account credentials

Telemetry

10

Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

Telemetry showing successful net use connection by Kmitnick in the process tree view (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

7

General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Enrichment of successful net.exe connection (tainted by parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)

Enrichment of net1.exe logon attempt by Kmitnick with Net Use Command Execution alert

Enrichment

Specific Behavior-Delayed

72

Telemetry from query showing successful Kmitnick logon event for Creeper

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Telemetry-Tainted

7

Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry showing a event for a successful login by user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing logon attempts via net.exe using valid credentials of user Kmitnick

Telemetry

10

Telemetry showing a net.exe logon attempt using valid credentials for user Kmitnick (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Brute Force

Credential Access

(T1110)
16.B.1Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password spraying

Telemetry showing process tree with five different net.exe logon attempts, including a success

Enrichment of the individual net.exe logon attempts, successful logons mapped to related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)

Telemetry

Enrichment-Configuration Change

22

Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed remote commands\" alert)

Enrichment-Tainted

Telemetry-Tainted

19

Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)

OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)

Telemetry from process tree showing successful net.exe connection by Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)

Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed

58

Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Telemetry showing event tree with all 5 net commands associated with brute force failures and eventual success (tainted by parent PowerShell alert)

Enrichment of successful net.exe connection with \"Mounting Hidden Share\" and Lateral Movement tags (tainted by parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

28

Enrichment of net.exe with Net Use Command Execution alert (tagged with related ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement)

Telemetry showing successful logon of user Kmitnick

Enrichment

Telemetry

25

Specific Behavior alert for brute force attempt to remote SMB shares

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)

Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing logon attempts via net.exe and command-line arguments

Telemetry

10

Telemetry showing net.exe logon attempts (tainted by relationship to threat story)

Telemetry showing net.exe logon attempts and corresponding exit codes

Telemetry-Tainted

7
16.A.1Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and Frieda

Enrichment of the individual net.exe logon attempts with tag \"Credential Access using Admin Shares - Failed Attempts\"

Telemetry showing process tree with four different net.exe logon attempts

Telemetry

Enrichment-Configuration Change

22

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment-Tainted

12

Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)

Telemetry showing net.exe logon attempts

Telemetry showing details for the logon attempt into the 10.0.1.4 (Morris) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)

Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry showing details for the logon attempt into the 10.0.1.6 (Nimda) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)

Telemetry

General Behavior-Delayed-Tainted

General Behavior-Delayed

61

Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Enrichment of each net.exe connection attempt (tainted by parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

28

Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Bob; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)

Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)

Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Frieda; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)

Excerpt from the Managed Defense Report indicating the attacker attempted to access systems using four accounts (General Behavior)

Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)

Telemetry showing failed logon attempt for Kmitnick

Enrichment

Telemetry-Configuration Change

General Behavior-Delayed

49

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Specific Behavior alert for brute force attempt to remote SMB shares

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

System access history from CodeRed to Nimda and Morris

Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server

Telemetry-Tainted

Specific Behavior-Delayed

64

General Behavior alert for a sensitive administrative shares mapping with unexpected parent

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

General Behavior

37

Telemetry showing logon attempts via net.exe and command-line arguments

Telemetry

10

Telemetry showing net.exe logon attempts and corresponding exit codes

Telemetry showing net.exe logon attempts (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Screen Capture

Collection

(T1113)
8.D.1Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user Debbie

Telemetry showing modloads and crossprocess events (does not count as a detection)

None

0

Telemetry showing remote thread being created into explorer.exe (does not count as a detection)

DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was manually initiated)

None

0

Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)

None

0

Alert for explorer.exe loading a Meterpreter agent (does not count as detection)

Alert showing loaded screenshotx64.dll module (does not count as a detection)

None

0

Strings output extracted from Process Injection alert, showing BitBlt and CreateCompatibleBitmap that could be associated with screen capture, but no evidence of execution (does not count as a detection)

None

0

None

0

Enrichment of explorer.exe with ScreenshotTaken

Enrichment-Configuration Change

12

Enrichment of the execution of a specific API call using screen capture and suspicious activity

Enrichment

15

Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection)

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Create Account

Persistence

(T1136)
7.A.1Added user Jesse to Conficker (10.0.0.5) through RDP connection

Telemetry showing Registry modifications for new user Jesse

Enrichment of lsass.exe with tag \"Create Accounts using GUI\"

Telemetry

Enrichment-Configuration Change

22

Child event of Specific Behavior alert showing new account added to local admins group

Specific Behavior alert for \"New user account created\" and event showing account name was Jesse

Specific Behavior-Configuration Change

57

Telemetry showing creation of the user Jesse with the user RID 000003E8

Telemetry showing user RID 000003E8 (corresponding to the user Jesse) added to the admin group (00000220), a well-known security identifier

Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), which are well-known security identifiers

Telemetry

10

Telemetry showing lsass.exe creating a Registry key for user Jesse

Telemetry

10

None

0

Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior)

Telemetry showing creation of user Jesse

Telemetry

Specific Behavior-Delayed

67

Telemetry showing creation of user account Jesse

Telemetry-Configuration Change

7

Telemetry showing mmc.exe creating a Registry key for user Jesse

Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account)

Telemetry

Enrichment

25

None

0

Telemetry showing creation of user account Jesse

Telemetry

10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
System Information Discovery

Discovery

(T1082)
2.E.2Cobalt Strike: 'net config workstation' via cmd

Enrichment of net.exe with correct ATT&CK Technique (System Information Discovery)

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net config not specifically shown)

Email excerpt from the OverWatch team indicating net config was a reconnaissance command (General Behavior)

Telemetry showing net with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing cmd.exe executing net executing with command-line arguments

Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry

Enrichment-Tainted

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating net config was a reconnaissance command (General Behavior)

Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about net

Enrichment

General Behavior-Delayed

42

Telemetry showing execution sequence for net.exe with command-line arguments

Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments

Telemetry-Tainted

7

Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

34

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.E.1Cobalt Strike: 'systeminfo' via cmd

Telemetry from process tree showing systeminfo.exe

Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery)

Telemetry

Enrichment

25

Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (systeminfo not specifically shown)

OverWatch General Behavior alert indicating systeminfo.exe was suspicious

Email excerpt from the OverWatch team indicating systeminfo was a reconnaissance command (General Behavior)

Telemetry showing systeminfo

Telemetry-Tainted

General Behavior-Delayed

General Behavior-Delayed

61

Enrichment of systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing systeminfo

Enrichment-Tainted

Telemetry

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing systeminfo.exe (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about systeminfo

Excerpt from the Managed Defense Report indicating systeminfo was a reconnaissance used to obtain system details (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing execution sequence for systeminfo.exe

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing systeminfo.exe

General Behavior alert on suspicious sequence of exploration activities

Telemetry

General Behavior-Delayed

37

Enrichment of cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery)

Enrichment of the execution of systeminfo.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing cmd.exe executing systeminfo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

34

Telemetry showing systeminfo.exe

Telemetry

10

Telemetry showing systeminfo.exe (tainted by relationship to threat story)

Telemetry-Tainted

7
12.E.1.6.1Empire: WinEnum module included enumeration of system information

None

0

None

0

Telemetry showing the Get-Sysinfo function

Telemetry

10

None

0

Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)

None

0

None

0

Telemetry of execution sequence showing Get-SysInfo invocation

Telemetry

10

Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo

Indicator of Compromise

20

None

0

Additional telemetry showing powershell.exe WMI queries for operating system information

Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
12.E.1.6.2Empire: WinEnum module included enumeration of Windows update information

None

0

None

0

None

0

None

0

None

0

None

0

Telemetry of execution sequence showing Get-HotFix invocation

Telemetry

10

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
File and Directory Discovery

Discovery

(T1083)
18.A.1Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

None

0

None

0

None

0

None

0

None

0

None

0

Query showing .vsdx PowerShell file search script that was executed

Telemetry

10

Telemetry showing an event with the execution of the Get-ChildItem command (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

None

0
8.A.1Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmd

Enrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery)

Telemetry from process tree showing dir with command-line arguments

Telemetry

Enrichment

25

Telemetry showing dir with command-line arguments (tainted by the parent \"Powershell process created\" alert)

Telemetry-Tainted

7

Process tree view showing cmd.exe that ran dir (dir not specifically shown, cmd.exe is second from top and tainted by previous detection by orange line indicating medium severity)

Telemetry showing cmd.exe running dir with command-line arguments (search was on commands running within the past 10 minutes)

Telemetry-Tainted

7

Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery)

Enrichment

15

Telemetry showing execution sequence of cmd.exe executing dir with command-line arguments

Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted dir (dir command not shown)

Telemetry-Tainted

7

Enrichment of cmd.exe executing dir with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)

Telemetry showed cmd.exe executing dir with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of cmd executing dir with command-line arguments as the execution of the dir command on a network location (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing cmd.exe executing dir with command-line arguments

Telemetry

10

Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
8.A.2Cobalt Strike: 'tree "C:\Users\debbie"' via cmd

Enrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery)

Telemetry from process tree showing tree.com with command-line arguments

Telemetry

Enrichment

25

Telemetry showing tree with command-line arguments (tainted by the parent \"Powershell process created\" alert)

Telemetry-Tainted

7

Additional details for OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)

OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)

Telemetry showing cmd.exe running tree with command-line arguments (search was on commands running within the past 10 minutes)

Email excerpt from the OverWatch team indicating tree was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed

58

Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and Tactic, Discovery)

Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior)

Excerpt from Managed Defense Report showing additional details about tree

Enrichment

Specific Behavior-Delayed

72

Telemetry showing execution sequence of cmd.exe executing tree.com with command-line arguments

Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted tree (tree command not shown)

Telemetry-Tainted

7

Enrichment of cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)

Telemetry showed cmd.exe executing tree with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

22

Telemetry showing cmd.exe executing tree with command-line arguments

Telemetry

10

Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
12.E.1.4.2Empire: WinEnum module included enumeration of interesting files

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Interesting Files function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)

Enrichment

15

None

0

None

0
12.E.1.4.1Empire: WinEnum module included enumeration of recently opened files

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Last 5 files opened function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)

Enrichment

15

None

0

None

0
9.A.1Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.K.1Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)

None

0

None

0

None

0

None

0

None

0

None

0

None

0

Telemetry showing a file read event for update.vbs (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

Telemetry

10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Credentials in Files

Credential Access

(T1081)
15.B.1Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)

None

0

None

0

Telemetry showing decoded PowerShell script containing the function Get-Keystrokes

Excerpt from email sent by OverWatch team indicating keylogging activity occurred (Specific Behavior)

Telemetry

Specific Behavior-Delayed

67

None

0

None

0

None

0

Telemetry showing "Get-Content" cmdlet (does not count as a detection)

None

0

Telemetry showing a file read event for IT_tasks.txt

Telemetry

10

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
PowerShell

Execution

(T1086)
13.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.A.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
12.F.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
17.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
17.B.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.F.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
17.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.G.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.G.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.D.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.D.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
18.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.E.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
18.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.E.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
17.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.K.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
11.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.H.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.A.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
19.D.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
19.D.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.G.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
16.I.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.J.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.B.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
15.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
13.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
13.B.2

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
13.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
16.C.1

Not tested

0

Not tested

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

None

0

Not tested

0

Not tested

0
16.L.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Account Discovery

Discovery

(T1087)
2.G.2Cobalt Strike: 'net user george /domain' via cmd

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)

Telemetry showing net with command-line arguments

Email excerpt from the OverWatch team indicating net user was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry showing net executing with command-line arguments

Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)

Telemetry

Enrichment-Tainted

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)

Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about net

Enrichment

General Behavior-Delayed

42

Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller

General Behavior alert on suspicious sequence of exploration activities

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Telemetry showing execution sequence for net.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of net1.exe executing with the correct ATT&CK Technique (Account Discovery)

Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

34

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
12.G.1Empire: 'net user' via PowerShell

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted

12

Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)

Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts)

Telemetry from event tree showing net.exe with command-line arguments (tainted by parent PowerShell alert)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used to capture information about local users (General Behavior)

Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment

22

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Continued threat story showing related processes

Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
12.G.2Empire: 'net user /domain' via PowerShell

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted

12

Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Specific Behavior alert showing domain user enumeration from Bob on CodeRed against Domain Controller on Creeper

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

Specific Behavior-Delayed

91

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)

Telemetry-Tainted

Enrichment

22

Telemetry showing net.exe with command-line arguments

Telemetry

10

Threat story showing initial compromise alert and powershell.exe tainting net.exe

Continued threat story showing initial compromise alert and powershell.exe tainting net.exe

Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account information

Telemetry showing mmc.exe running lusrmgr.msc

Telemetry

10

Telemetry showing mmc.exe running lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) 

Telemetry-Tainted

7

Telemetry showing mmc.exe running lursmgr.msc

Telemetry

10

Telemetry showing lusrmgr.msc running from mmc.exe

Telemetry

10

Telemetry showing mmc.exe running lusrmgr.msc

Telemetry

10

Telemetry showing mmc.exe running lusrmgr.exe

Telemetry

10

Telemetry showing mmc.exe running lusrmgr.msc

Telemetry

10

Telemetry showing lusrmgr.msc running from mmc.exe

Enrichment of mmc.exe as reconnaissance via the MMC utility with local users and groups view

Telemetry

Enrichment

25

None

0

None

0
2.G.1Cobalt Strike: 'net user /domain' via cmd

Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted

12

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)

Telemetry showing net with command-line arguments

Telemetry-Tainted

7

Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)

Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)

Telemetry showing net executing with command-line arguments

Telemetry

Enrichment-Tainted

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)

Excerpt from the Managed Defense Report with additional details about net

Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

General Behavior alert on suspicious sequence of exploration activities

Telemetry showing execution sequence for net.exe with command-line arguments

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment-Tainted

19

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Rundll32

Defense Evasion, Execution

(T1085)
1.A.1Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32

Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe

Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32)

Telemetry

Enrichment

25

Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert)

Telemetry-Tainted

7

Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. Green arrow indicates injection.)

OverWatch General Behavior alert indicating rundll32 execution was suspicious

Specific Behavior

General Behavior-Delayed

Telemetry

97

Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe, tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection)

Telemetry within the rundll32.exe injection alert showing command-line arguments of rundll32.exe running update.dat (tainted by parent alert on explorer.exe)

Specific Behavior alert for rundll32.exe launching a module from a temporary folder and injecting shellcode into a victim process (tainted by parent alert on explorer.exe)

Specific Behavior-Tainted

Telemetry-Tainted

Specific Behavior-Tainted

121

Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry  (tagged with correct ATT&CK Technique, T1085 - Rundll32 and Tactics, Defense Evasion, Execution; tainted by parent Malicious File Detection alert)

Telemetry showing rundll32.exe running update.dat execution event

Event tree view showing the Malicious File Detection alert tainting rundll32.exe telemetry

Telemetry-Tainted

Specific Behavior-Tainted

64

Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior)

Enrichment of rundll32.exe execution (tagged with correct ATT&CK Technique, T1085 - Rundll32, and Tactics, Defense Evasion, Execution)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing rundll32.exe process injection sequence

General Behavior alert on low-reputation DLL load by signed executable

Telemetry

General Behavior-Delayed

37

Specific Behavior alerts for rundll32 tagged with the correct ATT&CK Technique (Rundll32) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing rundll32.exe executing update.dat (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Additional details of General Behavior alert for rundll32.exe executing update.dat

General Behavior alert for rundll32.exe executing update.dat, identified as a suspicious DLL and malware (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Specific Behavior-Tainted

General Behavior-Tainted

91

Telemetry showing execution of Resume Viewer.exe

Telemetry

10

Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
System Network Connections Discovery

Discovery

(T1049)
12.E.1.12Empire: WinEnum module included enumeration of established network connections

Telemetry from process tree showing netstat.exe with command-line arguments

Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery)

Telemetry

Enrichment

25

None

0

Telemetry from process tree showing netstat.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

7

Enriched alert for netstat.exe labeled with Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Event tree showing telemetry of netstat subprocess associated with WinEnum (tainted by parent PowerShell alerts)

Interactive Shell events showing the WinEnum script and the Netstat Established Connections and Processes function (does not count as a detection due to manual process of pulling events)

Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Tainted-Delayed

16

Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)

Enrichment

General Behavior-Delayed

42

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments

Telemetry of execution sequence showing Get-NetInfo invocation

Telemetry of execution sequence showing powershell.exe executing netstat.exe with command-line arguments

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery)

Enrichment

15

Telemetry showing netstat.exe with command-line arguments

Telemetry

10

Telemetry showing netstat.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
13.B.1Empire: 'net use' via PowerShell

Enrichment of net.exe with related ATT&CK Technique (Account Discovery)

Enrichment

Telemetry

25

Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating net use was part of additional malicious discovery activity (General Behavior)

Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Network Connections Discovery) and Technique (Discovery)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery), related ATT&CK Technique (Remote System Discovery), and correct Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for Discovery via network file share enumeration (tainted by parent alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connections Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Telemetry showing execution of net.exe with command-line arguments

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing execution of net.exe and command-line arguments

Telemetry

10

Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
13.B.2Empire: 'netstat -ano' via PowerShell

Telemetry showing process tree with netstat.exe and command-line arguments

Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery)

Telemetry

Enrichment

25

Telemetry showing netstat.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Telemetry from process tree showing netstat.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt from the OverWatch team indicating netstat was part of additional malicious discovery activity (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment showing netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry

22

Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)

Telemetry-Tainted

Enrichment-Delayed-Tainted

16

Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)

Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific netstat.exe instance not shown)

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments

Telemetry showing execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing powershell.exe executing netstat with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
4.C.1Cobalt Strike: 'netstat -ano' via cmd

Telemetry from process tree showing netstat.exe with command-line arguments

Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery)

Telemetry

Enrichment

25

Telemetry showing netstat.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)

Telemetry-Tainted

7

OverWatch General Behavior alert indicating netstat execution by cmd.exe was suspicious

Email excerpt from the OverWatch team indicating netstat was a reconnaissance command (General Behavior)

General Behavior-Delayed

Telemetry

General Behavior-Delayed

64

Enrichment of netstat.exe executing labeled as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing netstat with command-line arguments

Enrichment-Tainted

Telemetry

22

Additional UI view of telemetry (showing the netstat command in this instance)

Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery)

Telemetry from event tree showing netstat with command-line arguments

Telemetry

Enrichment-Delayed

22

Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about netstat

Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing execution sequence for netstat.exe with command-line arguments

Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netstat.exe command not shown)

Telemetry-Tainted

7

Enrichment of netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery)

Telemetry showing cmd.exe executing netstat with command-line arguments

Telemetry

Enrichment

25

Telemetry showing netstat.exe with command-line arguments

Telemetry

10

Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Bypass User Account Control

Defense Evasion, Privilege Escalation

(T1088)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity level

None

0

Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)

Alert for PowerShell process creation (does not count as a detection)

None

0

Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High)

Telemetry

10

Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert)

Telemetry showing powershell.exe running as medium integrity as user Debbie

Telemetry-Tainted

7

Telemetry showing authentication (logon) ID mismatch between parent and child processes

Telemetry

10

Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0xfcf5fd

Telemetry showing group membership of token logon ID 0xfcf5fd, associated with user Debbie, which includes S-1-16-12288 (High Mandatory Level)

Telemetry-Configuration Change

7

Telemetry showing powershell.exe running as high integrity as SYSTEM

Telemetry showing rundll32.exe running as medium integrity as user Debbie

Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe

Telemetry-Tainted

7

Telemetry showing process integrity level change from parent rundll32.exe (medium) to child powershell.exe (high), both running as user Debbie

Telemetry

10

Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection)

None

0

Telemetry

10
14.A.1Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity level

None

0

Alert for encoded PowerShell (does not count as a detection)

None

0

Telemetry showing the Invoke-BypassUACTokenManipulation function

Email excerpt from the OverWatch team indicating obfuscated PowerShell invoked UAC bypass (Specific Behavior)

Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000)

Telemetry

Specific Behavior-Delayed

67

Telemetry showing powershell.exe executing with medium process integrity (tainted by a parent PowerShell alert)

Telemetry showing powershell.exe executing with high process integrity (tainted by a parent PowerShell alert)

Parent alert generated for malicious use of PowerShell

Telemetry-Tainted

7

Telemetry showing authentication (logon) ID mismatch between parent and child processes

Telemetry showing svhost.exe seclogon event for token login id 0x9b6855 (10184789), used by the spawned powershell.exe

Telemetry

10

Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0x10530b3

Telemetry showing group membership of token logon ID 0x10530b3 associated with user Bob, which includes S-1-16-12288 (High Mandatory Level)

Telemetry-Configuration Change

7

Parent alert for \"Suspicious sequence of exploration activities\" showing powershell.exe process tainting this event

Telemetry showing medium integrity powershell.exe process executing Invoke-BypassUACTokenManipulation as user Bob

Telemetry showing high integrity powershell.exe process as Bob

Telemetry showing high integrity powershell.exe process as SYSTEM

Telemetry-Tainted

7

Telemetry showing powershell.exe running as high integrity level (12288)

Indicator of Compromise alert identifying a PowerShell Empire script performing the bypass UAC attack.

Telemetry showing powershell.exe running as medium integrity level (8192)

Telemetry

Indicator of Compromise

30

None

0

Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not shown in this view)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Process Discovery

Discovery

(T1057)
2.C.1Cobalt Strike: 'ps' (Process status) via Win32 APIs

None

0

None

0

None

0

None

0

None

0

None

0

None

0

Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment-Tainted

12

None

0

None

0
2.C.2 Cobalt Strike: 'tasklist /v' via cmd

Telemetry from process tree showing tasklist.exe with command-line arguments

Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery)

Telemetry

Enrichment

25

Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (tasklist not specifically shown)

Email excerpt from the OverWatch team indicating tasklist was a reconnaissance command (General Behavior)

Telemetry showing tasklist with command-line arguments

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing tasklist with command-line arguments

Telemetry-Tainted

7

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Telemetry showing tasklist.exe with command-line arguments (tainted by parent Malicious File Detection)

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted

28

Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating tasklist was used to enumerate current running processes (Specific Behavior)

Excerpt from the Managed Defense Report with additional details about tasklist

Enrichment

Specific Behavior-Delayed

72

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe

Telemetry showing execution sequence for tasklist.exe with command-line arguments

General Behavior alert on suspicious sequence of exploration activities

Telemetry

General Behavior-Delayed

37

Enrichment of the execution of tasklist.exe as the enumeration of running processes via the command line (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of tasklist.exe executing with a related ATT&CK Technique (System Information Discovery)

Telemetry showing cmd.exe executing tasklist with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment

Enrichment-Tainted

34

Telemetry showing tasklist.exe with command-line arguments

Additional telemetry showing tasklist.exe with command-line arguments

Telemetry

10

Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
3.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIs

None

0

None

0

None

0

None

0

None

0

None

0

None

0

Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment-Tainted

12

None

0

None

0
8.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIs

None

0

None

0

None

0

None

0

None

0

None

0

None

0

Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment-Tainted

12

None

0

None

0
12.C.1Empire: 'qprocess *' via PowerShell

Telemetry from process tree showing qprocess.exe with command-line arguments

Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery)

Telemetry

Enrichment

25

Telemetry showing qprocess.exe with command-line arguments (tainted by parent Script File Created alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating qprocess was part of basic reconnaissance activity (General Behavior)

OverWatch General Behavior alert and telemetry indicating qprocess.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)

General Behavior-Delayed-Tainted

Telemetry

General Behavior-Delayed

61

Enrichment of qprocess.exe executing with correct ATT&CK Technique (Process Discovery) and Tactic (Discovery) (tainted by a parent PowerShell alert)

Enrichment of qprocess.exe executing with labels for Reconnaissance and Local process discovery

Enrichment-Tainted

Telemetry

22

Event tree view of telemetry showing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts)

Telemetry-Tainted

7

Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating qprocess.exe was a reconnaissance command used (General Behavior)

Enrichment

General Behavior-Delayed

42

Telemetry showing execution sequence of powershell.exe executing qprocess.exe with command-line arguments

Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process

Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process

Telemetry-Tainted

7

Enrichment of execution of qprocess.exe as the enumeration of running processes via the command line (tainted by a parent alert on wscript.exe)

Enrichment of qprocess.exe executing with a related ATT&CK Technique (System Service Discovery)

Telemetry showing powershell.exe executing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing qprocess.exe with command-line arguments

Telemetry

10

Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Threat story showing initial compromise alert and powershell.exe tainting qprocess.exe

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Data Encrypted

Exfiltration

(T1022)
19.B.1Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected file

Telemetry showing recycler.exe and command-line arguments with encryption password

Enrichment of recycler.exe with correct ATT&CK Technique (1022 - Data Encrypted)

Telemetry

Enrichment

25

Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)

Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)

Enrichment-Tainted-Configuration Change

Telemetry-Tainted

16

Specific Behavior alert showing use of -hp flags within command-line (mapped to related ATT&CK Technique, Data Compressed, and correct Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)

Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed

124

Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1022 - Data Encrypted)

Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

General Behavior alert for Execution from Suspicious Directory

General Behavior alert for File Write To Root Of Recycle Bin

Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)

General Behavior

Enrichment

Enrichment

General Behavior

Enrichment

Specific Behavior-Delayed

162

Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression

Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)

Telemetry-Tainted

7

Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing execution of recycler.exe with command-line arguments

Telemetry

10

Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID

Telemetry showing the execution of recycler.exe

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Input Capture

collection, Credential Access

(T1056)
8.C.1Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user Debbie

None

0

Command-Line Interface view for host Nimda kicking off DDNA Scan for PID 11252 (does not count as a detection)

DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection)

Telemetry showing remote thread being created into explorer.exe (does not count as a detection)

None

0

Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)

None

0

Alert for Chain of Injections for powershell.exe injecting into cmd.exe (does not count as detection)

Alert showing loaded keyloggerx64.dll module (does not count as detection)

Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection)

Alert for Chain of Injections showing powershell.exe injecting into explorer.exe (does not count as detection)

None

0

Event tree showing a Process Injection alert from which strings were pulled (does not count as a detection)

Strings output extracted from Process Injection alert, showing key definitions typically associated with a keylogger, but no evidence of execution (does not count as a detection)

None

0

None

0

Telemetry showing explorer.exe reading user keystrokes

Specific Behavior alert for \"Possible keylogging activity\" against explorer.exe

Execution sequence showing cmd.exe injecting into explorer.exe (does not count as a detection)

Telemetry-Configuration Change

Specific Behavior-Delayed

64

Telemetry showing code injection into explorer.exe (does not count as a detection)

Telemetry showing hook injection from explorer.exe (does not count as a detection)

Enrichment of the execution of a specific API call as keylogging and suspicious activity

Enrichment

15

Floating Code module output showing keylogger key definitions (does not count as a detection)

Floating Code module output showing keylogger aggressor script (does not count as a detection)

None

0

Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view)

Telemetry showing process injection into explorer.exe (does not count as a detection)

Telemetry-Tainted

7
15.A.1Empire: Built-in keylogging module executed to capture keystrokes of user Bob

Telemetry showing modloads associated with keylogger

Enrichment of data with tag \"PowerShell Input Capture -keylogger\"

Telemetry

Enrichment

25

None

0

Excerpt from email sent by OverWatch team indicating IT_tasks.txt was retrieved as a file of interest (General Behavior)

Telemetry showing FsPostOpen event for IT_tasks.txt

Telemetry showing file read event for IT_tasks.txt

Telemetry

General Behavior-Delayed

37

Indicator of Compromise alert for Malicious Command Get-Keystrokes 

Telemetry showing modloads associated with a keylogger

Indicator of Compromise

Telemetry

30

Telemetry showing PowerShell Script Block logging with execution of Get-KeyStrokes (does not count as a detection)

None

0

PowerShell activity during the time of the keylogging (does not count as detection)

None

0

Telemetry showing execution of Get-Keystrokes cmdlet

Telemetry showing keylogger events

Specific Behavior alert for keylogging activity from powershell.exe

Parent alert showing process tree view showing tainted relationship (specific instance of this technique not shown in the alert)

Telemetry-Tainted

Specific Behavior-Delayed

64

Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window

Enrichment of the execution of a specific API call as keylogging and suspicious activity

Enrichment

Indicator of Compromise

35

None

0

Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown in this view)

Enrichment-Tainted

12
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Multiband Communication

Command and Control

(T1026)
6.B.1Cobalt Strike: C2 channel modified to split communications between both HTTP and DNS

Telemetry showing network connection over UDP port 53

Telemetry showing network connection over TCP port 80

Telemetry

10

Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe

Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by the parent \"Sponsor Process Established Network Connection\" alert)

Telemetry-Tainted

7

Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)

Telemetry within an alert showing abnormally large DNS requests occurred (tainted by parent Exfiltration alert)

Telemetry-Tainted

7

Telemetry showing the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain) (tainted by a parent Injected Shellcode alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry showing DNS connections

Telemetry showing port 80 traffic (tainted by parent Malicious File Detection alert)

Telemetry-Tainted

7

Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2 (Specific Behavior)

Telemetry showing DNS requests (field name dnsLookupEvents/Generated) and HTTP requests (field name urlMonitorEvents/Generated)

Telemetry

Specific Behavior-Delayed

67

Telemetry showing execution sequence for rundll32.exe opening port 80 network connection

Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection

Telemetry showing DNS traffic to C2 domain

Telemetry-Tainted

7

Telemetry showing ports 80 and 53 command and control traffic

Telemetry

10

None

0

Telemetry showing port 80 connection to 192.168.0.4 (C2 server)

Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Windows Admin Shares

Lateral Movement

(T1077)
16.B.1Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5) 

Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$

Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)

Telemetry

Specific Behavior

70

Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)

OverWatch General Behavior alert indicating successful net use connection to ADMIN$ was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)

Telemetry from process tree showing successful net use connection to ADMIN$ (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)

Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed

58

Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

Telemetry

67

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt (tainted by parent PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Enrichment of net.exe logon attempt to ADMIN$ with Net Use Command Execution alert (tagged with the correct ATT&CK Technique, 1077 - Windows Admin Shares, and Tactic, Lateral Movement)

Excerpt from the Managed Defense Report indicating the attacker accessed Conficker by mounting the ADMIN$ share (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Specific Behavior alert for brute force attempt to remote SMB shares

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

Specific Behavior-Delayed

64

Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing logon attempt targeting ADMIN$ via net.exe and command-line arguments

Telemetry

10

Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story)

Telemetry showing net.exe logon attempts and corresponding exit codes

Telemetry-Tainted

7
16.D.1Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)

Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)

Telemetry showing process tree with successful net.exe logon targeting C$

Telemetry

Specific Behavior

70

Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)

Telemetry showing process tree containing successful net use connection to C$ (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing alert net.exe execution (tainted by a parent PowerShell alert)

Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

Telemetry

67

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt tagged with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)

Enrichment of net1.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique, T1077 - Windows Admin Shares, and Tactic, Lateral Movement)

Enrichment

Specific Behavior-Delayed

72

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Telemetry-Tainted

7

Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing logon attempt targeting C$ via net.exe and command-line arguments

Telemetry

10

Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story)

Telemetry-Tainted

7
16.A.1Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)

Specific Behavior alerts for of the 4 different net.exe logon attempts

Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$

Telemetry

Specific Behavior

70

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)

Enrichment-Tainted

12

Telemetry showing net use logon attempts to ADMIN$ shares

Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)

Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry

General Behavior-Delayed-Tainted

General Behavior-Delayed

61

Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)

Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

Telemetry

67

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for Mounting Hidden Shares, associated with each net.exe connection attempt (tainted by parent PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Bob

Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick

Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Frieda

Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick

Enrichment

15

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)

Specific Behavior alert for brute force attempt to remote SMB shares

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server

Telemetry-Tainted

Specific Behavior-Delayed

64

Specific Behavior alert for a net.exe logon attempt to ADMIN$ tagged with the correct ATT&CK Technique (Windows Admin Shares)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local user Kmitnick (tainted by a parent alert on wscript.exe)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)

Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Specific Behavior

67

Telemetry showing logon attempts targeting ADMIN$ via net.exe and command-line arguments

Telemetry

10

Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes

Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Clipboard Data

collection

(T1115)
12.E.1.5Empire: WinEnum module included enumeration of clipboard contents

None

0

None

0

OverWatch alert indicating encoded PowerShell was suspicious (does not count as a detection)

Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)

Telemetry showing encoded PowerShell, which decodes to show Windows.Clipboard details (does not count as a detection)

None

0

Telemetry of the PowerShell function to gather clipboard data (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Interactive Shell events showing the WinEnum script and Clipboard Contents function (does not count as part of detection due to manual process of pulling events)

Telemetry showing decoded PowerShell displaying Windows.Clipboard as part of WinEnum. The PowerShell process was tainted by parent PowerShell alerts.

Telemetry-Tainted

7

Excerpt from the Managed Defense Report indicating the attacker executed the Windows Clipboard capability of Empire (Indicator of Compromise)

Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)

PowerShell Execution alert containing encoded PowerShell command (does not count as a detection)

Indicator of Compromise-Delayed

17

None

0

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data)

Enrichment

15

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
New Service

Persistence, Privilege Escalation

(T1050)
16.I.1Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)

Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK

Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service

Telemetry

Specific Behavior

70

Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert)

Specific Behavior alert for \"\"New Windows service created\"\" and additional alert for \"Windows Service Registry Key modified\"

Telemetry-Tainted

Specific Behavior-Configuration Change

64

Telemetry from process tree showing sc.exe execution to create the AdobeUpdater service (tainted from previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed a newly created file (AdobeUpdater service in registry) to establish persistence (General Behavior)

Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description

Telemetry-Tainted

General Behavior-Delayed

34

Specific Behavior alert for unconventional new service with correct ATT&CK Technique (New Service) and Tactics (Persistence, Privilege Escalation) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

Telemetry

67

Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for new service AdobeUpdater creation on Creeper tagged with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence)

Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior

76

Excerpt from the Managed Defense Report indicating sc.exe was used to create a new service (Specific Behavior)

Additional details on enrichment of sc.exe with SC Execution alert

Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with correct ATT&CK Technique, T1050 - New Service, and Tactic, Discovery)

Enrichment

Specific Behavior-Delayed

72

Specific Behavior alert on suspicious service registration on Creeper

Telemetry showing AdobeUpdater service registry information that was changed on Creeper

Telemetry from CodeRed showing execution sequence of sc.exe AdobeUpdater remote service creation

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

Specific Behavior

67

Enrichment of sc.exe executing with the correct ATT&CK Technique (New Service)

Telemetry showing execution of sc.exe to create a new AdobeUpdater service (tainted by a parent alert on wscript.exe)

Telemetry showing the creation of Registry keys associated with the AdobeUpdater service

Specific Behavior alert for a new service created via the command line (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Specific Behavior-Tainted

Enrichment

79

Telemetry showing execution of sc.exe to create the AdobeUpdater service

Telemetry

10

Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Permission Groups Discovery

Discovery

(T1069)
12.E.1.2Empire: WinEnum module included enumeration of AD group memberships

None

0

Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) (does not count as a detection)

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the AD Group Memberships function (does not count as a detection due to manual process of pulling events)

None

0

Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection)

None

0

None

0

None

0

None

0

None

0
12.F.1Empire: 'net group "Domain Admins" /domain' via PowerShell

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)

Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted from previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Delayed

46

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)

Enrichment on net group by Enumeration of Administrator Accounts alert (mapped to correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic (Discovery)

Telemetry-Tainted

Enrichment-Tainted-Delayed

Enrichment-Tainted

28

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Telemetry-Tainted

General Behavior-Delayed

34

Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)

Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)

Telemetry-Tainted

Enrichment-Tainted

Enrichment-Tainted

Enrichment

46

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
12.F.2Empire: 'net localgroup administrators' via PowerShell

Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)

Email excerpt from the OverWatch team indicating net localgroup was part of additional malicious discovery activity (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)

General Behavior-Tainted

Telemetry

37

Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry). The tree also shows Enumeration of Administrator Accounts alert.

Telemetry-Tainted

Enrichment-Tainted-Delayed

Enrichment-Tainted

28

Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)

Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)

Enrichment

General Behavior-Delayed

42

Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments

Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments

Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)

Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)

Telemetry-Tainted

Enrichment-Tainted

Enrichment

34

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.F.1Cobalt Strike: 'net localgroup administrators' via cmd

Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

Enrichment of net.exe with tag Administrator Enumeration

Telemetry from process tree showing net.exe with command-line arguments

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)

OverWatch General Behavior alert for net localgroup

Telemetry showing net with command-line arguments

Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

General Behavior-Delayed

61

Telemetry showing cmd.exe executing net with command-line arguments

Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)

Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)

Telemetry

Enrichment-Tainted

22

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted

40

Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)

Excerpt from the Managed Defense Report with additional details about net

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)

Enrichment

Specific Behavior-Delayed

72

General Behavior alert on suspicious sequence of exploration activities

Telemetry showing execution sequence for net.exe with command-line arguments

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)

Enrichment

15

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.F.3Cobalt Strike: 'net group "Domain Admins" /domain' via cmd

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

Enrichment of net.exe with tag Administrator Enumeration

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by orange line for medium severity from previous detection)

Process tree showing all cmd.exe children under rundll32.exe (including net group) as tainted by orange line for medium severity

Telemetry showing net with command-line arguments

Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)

Enrichment-Tainted

Telemetry-Tainted

General Behavior-Delayed

46

General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)

Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)

Telemetry showing cmd.exe executing net with command-line arguments

Telemetry

General Behavior-Tainted

37

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted

40

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report indicating the attacker enumerated the Domain Administrators group (Specific Behavior)

Excerpt from the Managed Defense Report with additional details about net

Enrichment

Specific Behavior-Delayed

72

Telemetry showing domain admins group discovery by Nimda at the domain controller

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Telemetry showing execution sequence for net.exe with command-line arguments

General Behavior alert on suspicious sequence of exploration activities

Telemetry

General Behavior-Delayed

37

Enrichment of the execution of net1.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Enrichment of the execution of net.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment-Tainted

Enrichment-Tainted

31

Event enrichment from IIOC module \"Enumerates domain administrators\"

Telemetry showing net.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
2.F.2Cobalt Strike: 'net localgroup administrators /domain' via cmd

Telemetry from process tree showing net.exe with command-line arguments

Enrichment of net.exe with tag Administrator Enumeration

Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)

Telemetry

Enrichment

25

Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)

Enrichment-Tainted-Configuration Change

9

Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)

Telemetry showing net with command-line arguments

Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing cmd.exe executing net with command-line arguments

Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)

Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)

Telemetry

Enrichment-Tainted

22

General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period

Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)

Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)

Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted

40

Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)

Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)

Excerpt from the Managed Defense Report with additional details about net

Enrichment

Specific Behavior-Delayed

72

General Behavior alert on suspicious sequence of exploration activities

Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments

Telemetry showing execution sequence for net.exe with command-line arguments

Telemetry

General Behavior-Delayed

37

Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)

Enrichment

15

Telemetry showing net.exe with command-line arguments

Telemetry

10

Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Network Share Connection Removal

Defense Evasion

(T1126)
16.C.1Empire: 'net use /delete' via PowerShell

Telemetry showing process tree with net.exe and command-line arguments

Specific Behavior alerts for removing connected network share

Telemetry

Specific Behavior

70

Telemetry showing net.exe and command-line arguments (tainted by the parent \"Powershell executed remote commands\" alert)

Telemetry-Tainted

7

Excerpt from email sent by OverWatch team indicating they observed ADMIN$ artifact removed (General Behavior)

Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)

Telemetry-Tainted

General Behavior-Delayed

34

General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)

General Behavior-Tainted

Telemetry

37

Telemetry showing event tree containing net.exe and command-line argument (tainted by parent PowerShell alert)

Telemetry-Tainted

7

Telemetry showed net.exe executing with command-line arguments.

Excerpt from the Managed Defense Report indicating the attacker unmounted the share from CodeRed (Specific Behavior)

Telemetry

Specific Behavior-Delayed

67

Telemetry showing net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content)

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry-Tainted

7

Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal)

Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment

22

Telemetry showing net.exe execution and command-line arguments

Telemetry

10

Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
File Deletion

Defense Evasion

(T1107)
19.D.1Empire: 'del C:\"$"Recycle.bin\old.rar'

Telemetry showing filemod (file modification) deletion of old.rar

Telemetry

10

Telemetry showing powershell.exe deleting old.rar (tainted by the parent \"PowerShell executed encoded commands\" alert)

Telemetry-Tainted

7

Email excerpt sent by OverWatch team indicating they observed old.rar being deleted (Specific Behavior)

Telemetry showing deletion of old.rar

Telemetry

Specific Behavior-Delayed

67

Telemetry showing a deletion event for old.rar via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

None

0

None

0

Telemetry showing PowerShell executing the Remove-Item cmdlet (does not count as a detection)

None

0

Telemetry showing the file delete event for old.rar (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Master file table on 10.0.1.5 (CodeRed) shows old.rar listed under deleted files (does not count as a detection)

None

0

Telemetry exported from threat story showing the deletion of old.rar was tainted by prior activity because it was under the same Group ID

Telemetry-Tainted

7
19.D.2Empire: 'del recycler.exe'

Telemetry showing filemod (file modification) deletion of recycler.exe

Telemetry

10

Telemetry showing powershell.exe deleting recycler.exe (tainted by the parent \"PowerShell executed encoded commands\" alert)

Telemetry-Tainted

7

Email excerpt sent by OverWatch team indicating they observed recycler.exe being deleted (Specific Behavior)

Telemetry showing deletion of recycler.exe

Telemetry

Specific Behavior-Delayed

67

Telemetry showing a deletion event for recycler.exe via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry showing file deletion of recycler.exe

Telemetry

10

None

0

None

0

Telemetry showing the file delete event for recycler.exe (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

None

0

Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the same Group ID

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Execution through API

Execution

(T1106)
8.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
3.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
8.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
9.B.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
8.D.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
9.A.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
2.C.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
12.E.1

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Remote File Copy

Command and Control, Lateral Movement

(T1105)
19.A.1Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)

Telemetry showing filemod (file modification) creation of recycler.exe

Telemetry

10

Telemetry showing creation of recycler.exe (tainted by \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) and powershell.exe behavior contributing to \"Policy Dropper Behavior\" alert

General Behavior alert for \"Policy Dropper Behavior\" based on three correlated events

General Behavior-Configuration Change

Telemetry-Tainted

34

Telemetry showing network connection from 192.168.0.5 (C2 server) used by powershell.exe to transfer recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)

Telemetry showing file write of recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)

Telemetry-Tainted

7

Telemetry showing file create/write of recycler.exe (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry showing file creation of recycler.exe by powershell.exe (tainted by parent PowerShell alerts)

Telemetry-Tainted

7

Enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy and Tactics, Command and Control, Lateral Movement)

Excerpt from the Managed Defense Report indicating the attacker placed recycler.exe on the system (Specific Behavior)

Continued enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert

Enrichment

Specific Behavior-Delayed

72

Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH

Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)

Telemetry-Tainted

7

General Behavior alert for executables created to disk by the Windows scripting engine (tainted by a parent alert on wscript.exe)

General Behavior alert for PowerShell dropping an executable file to disk (tainted by a parent alert on wscript.exe)

Telemetry showing the file create and write events for recycler.exe (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

General Behavior-Tainted

General Behavior-Tainted

61

Telemetry showing file write of recycler.exe

Telemetry

10

Telemetry showing file write of recycler.exe

Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID

Telemetry-Tainted

7
7.B.1Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)

Telemetry showing updater.dll written to disk

Telemetry

10

Telemetry showing creation of updater.dll (tainted by the parent \"Powershell process created\" alert)

Telemetry-Tainted

7

Additional telemetry showing file write for updater.dll

Telemetry showing file write for updater.dll (tainted by the parent \"unexpected process\" alert)

Telemetry-Tainted

7

Telemetry showing the file write of updater.dll (tainted by a parent alert on cmd.exe, listed as Owner Process)

Parent alert for updater.dll being detected as known malware

Telemetry-Tainted

7

Telemetry showing creation of updater.dll (tainted by parent Malicious File Detection alert)

Telemetry-Tainted

7

Telemetry showing updater.dll file write (tainted by parent AV signature alert)

Enrichment of updater.dll file write by cmd.exe with alert for CMD File Write (tagged with correct ATT&CK Technique, T1105  - Remote File Copy, and related ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)

Enrichment

Telemetry-Tainted

22

Telemetry showing file write of updater.dll

Telemetry

10

Telemetry showed the file create event for updater.dll

Specific Behavior alert for a script engine creating/writing a DLL in the system32 folder (tainted by a parent process injection alert on cmd.exe)

Specific Behavior alert for a Windows scripting engine creating an executable on disk

Telemetry

Specific Behavior-Tainted

Specific Behavior

127

Telemetry showing file write event of updater.dll

Telemetry

10

Telemetry showing file write of updater.dll (tainted by relationship to threat story)

Telemetry-Tainted

7
16.E.1Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)

Telemetry showing creation and write to autoupdate.vbs

Telemetry

10

Telemetry showing powershell.exe creating autoupdate.vbs (tainted by parent \"Powershell executed remote commands\" alerts)

Telemetry-Tainted

7

Excerpt from email sent by OverWatch team indicating they observed autoupdate.vbs written (General Behavior)

Telemetry showing File Write and New Script Write for autoupdate.vbs within powershell.exe (tainted by previous detection by orange line indicating medium severity)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing file write of autoupdate.vbs (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry showing creation of autoupdate.vbs (tainted by parent PowerShell alert)

Telemetry-Tainted

7

Additional details on enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert

Enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy) and Tactics, Command and Control and Lateral Movement)

Enrichment

15

Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry showing autoupdate.vbs creation (tainted by parent alert on PowerShell script with suspicious content)

Telemetry-Tainted

7

Telemetry showing file create and write events for autoupdate.vbs

Telemetry

10

Telemetry showing file write of autoupdate.vbs

Telemetry

10

Telemetry showing creation and writes to autoupdate.vbs

Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view)

Telemetry-Tainted

7
14.A.1Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to disk

Telemetry

10

Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating PowerShell retrieved the file wdbypass (Specific Behavior)

Specific Behavior-Delayed

57

Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080

Specific Behavior alert for Download & execute of the wdbypass file

Specific Behavior-Tainted

57

Telemetry showing decoded PowerShell with download request of wdbypass over port 8080

Telemetry

10

Enrichment of HTTP GET request for wdbypass with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and Tactic, Command and Control)

Enrichment

15

Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments

Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080

Telemetry-Tainted

7

Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)

None

0

Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)

None

0

None

0
16.G.1Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)

Telemetry showing remote creation and write to update.vbs

Telemetry

10

Enrichment of powershell.exe creating update.vbs (tainted by parent \"Powershell executed remote commands\" alerts)

Enrichment-Tainted-Configuration Change

9

Telemetry showing update.vbs with event_name NewScriptWritten indicating a write to C$

Telemetry

10

Telemetry of file events for write of update.vbs to Creeper (10.0.0.4) (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Telemetry

10

Enrichment of powershell.exe writing update.vbs with File Write to Network Share alert

Excerpt from the Managed Defense Report of the write of the autoupdate.vbs script (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Telemetry showing file creation of update.vbs on 10.0.0.4 (Creeper)

Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)

Telemetry showing for remote creation of update.vbs on 10.0.0.4 (Creeper) from 10.0.1.5 (CodeRed)

Telemetry-Tainted

7

Specific Behavior alert for a script being modified/moved to a remote location (tainted by a parent alert on wscript.exe)

Telemetry showed file create and write events for update.vbs

Telemetry

Specific Behavior-Tainted

67

None

0

Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID not shown in this view)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Access Token Manipulation

Defense Evasion, Privilege Escalation

(T1134)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process token

Telemetry showing svchost.exe activity related to token manipulation

Telemetry showing svchost.exe command line arguments, specifically seclogon

Telemetry

10

Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)

Alert for PowerShell process creation (does not count as a detection)

None

0

None

0

Alert for malicious code injection into PowerShell (does not count as a detection)

Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection)

None

0

Telemetry showing powershell.exe spawned with token authentication id 100243447

Telemetry showing svhost.exe seclogon event for token login id 0x5f997f7 (100243447)

Telemetry

10

Telemetry showing svchost.exe seclogon event for token login ID 0xfcf5fd

Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level)

Telemetry-Configuration Change

7

Telemetry showing svchost.exe execution with seclogon command-line argument then subsequent powershell.exe

Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe

Telemetry-Tainted

7

Telemetry showing logon event with an elevated token and new logon ID

Telemetry showing svchost.exe executed with the seclogon command-line argument

Telemetry

10

None

0

None

0
5.B.1Cobalt Strike: Built-in token theft capability executed to change user context to George

Telemetry showing parent cmd.exe process running under user context Debbie

Telemetry showing child cmd.exe process running under user context George

Telemetry

10

None

0

Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as George

Telemetry

10

Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer.exe)

Telemetry-Tainted

7

Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege Escalation alert)

Specific Behavior alert on Privilege Escalation showing a process spawning (cmd.exe) with different tokens than the parent (rundll32.exe) (mapped to the correct ATT&CK Technique, T1134 - Access Token Manipulation, and Tactics, Privilege Escalation and Defense Evasion)

Specific Behavior

Telemetry-Tainted

67

Telemetry showing the user George executing reg.exe with command-line arguments during Step 6

Telemetry showing the user Debbie executing net.exe with command-line arguments during Step 4

Telemetry

10

Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (inner failure message in screenshot not relevant to tested functionality)

Telemetry showing resulting cmd.exe running as user George

Telemetry showing svchost.exe invocation with seclogon flag subsequently running cmd.exe as SYSTEM

Telemetry-Tainted

7

Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

7

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Scripting

Defense Evasion, Execution

(T1064)
1.A.1Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)

Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script

Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting)

Telemetry

Enrichment

25

Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) 

Telemetry-Tainted

7

Telemetry showing pdfhelper.cmd execution

OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious

General Behavior-Delayed

Telemetry

37

Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe)

Telemetry-Tainted

7

Telemetry showing pdfhelper.cmd spawned as a child process of Resume Viewer.exe (tainted by parent Malicious File Detection alert)

Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert)

Telemetry-Tainted

7

Telemetry showing the child cmd.exe process running the pdfhelper.cmd script

Telemetry

10

Telemetry within the process tree showing the child cmd.exe process running the script pdfhelper.cmd

Telemetry

10

Specific Behavior alert for execution of Windows script engine tagged with the correct ATT&CK Technique (Scripting)

Telemetry showing cmd.exe launching pdfhelper.cmd

Telemetry

Specific Behavior

70

Telemetry showing Resume Viewer.exe execution (does not count as a detection)

None

0

Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story)

Telemetry-Tainted

7
11.A.1Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)

Enrichment of wscript.exe and powershell.exe with correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell)

Specific Behavior alerts for Powershell scripting

Telemetry showing process tree of script execution

Enrichment

Telemetry

Specific Behavior

Specific Behavior

145

Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert)

Telemetry showing script execution (tainted by the parent Script File Created alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior)

General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious

Specific Behavior alert for PowerShell sharing characteristics with known exploit kits

Specific Behavior

General Behavior-Delayed

Telemetry

Specific Behavior-Delayed

154

Specific Behavior alert for powershell.exe, labeled with Command and Control and Malicious use of PowerShell

Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)

Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent PowerShell alert)

Specific Behavior alert tagged as obfuscated PowerShell payload and downloader mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell)

Specific Behavior

Telemetry-Tainted

67

Specific Behavior alert for powershell.exe also showing telemetry for script execution (mapped to related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)

Specific Behavior alert for wscript.exe launching powershell.exe (mapped to the correct ATT&CK Technique, T1064 - Scripting, and Tactic, Execution)

Specific Behavior

Telemetry-Tainted

Specific Behavior

127

Indicator of Compromise alert for EMPIRE RAT (tagged with related ATT&CK Technique, T1086 - PowerShell)

Enrichment of wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T064 - Scripting, and Tactic, Execution)

Additional details on Specific Behavior alert for Suspicious PowerShell Usage

Specific Behavior alert for Suspicious PowerShell Usage showing powershell.exe execution (tagged with related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)

Specific Behavior

Enrichment

Indicator of Compromise

95

Process tree of alert showing containing malicious PowerShell cmdlets related to Empire

Telemetry showing PowerShell script metadata and decoded command-line arguments

Specific Behavior alert for \"Suspicious PowerShell command-line\"

Specific Behavior alert for \"PowerShell script with suspicious content\" detected through Antimalware Scan Interface extracted content

Specific Behavior alert for PowerShell script with malicious cmdlets

Telemetry showing execution of autoupdate.vbs script

Telemetry showing execution of wscript.exe

Telemetry showing execution of PowerShell cmdlets from wscript.exe

Telemetry

Specific Behavior

Specific Behavior-Delayed

Specific Behavior

187

Specific Behavior alert for execution of the windows script engine tagged with the correct ATT&CK Technique (Scripting)

Telemetry showing powershell.exe running with command-line arguments (tainted by a parent alert on wscript.exe)

Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)

Specific Behavior alert for suspicious PowerShell activity

Specific Behavior alert for PowerShell (execution) tagged with a related Technique (PowerShell)

Specific Behavior alert for PowerShell execution with base64 encoded commands

Indicator of Compromise alert identifying PowerShell Empire

Indicator of Compromise alerts for suspicious PowerShell strings

Specific Behavior

Specific Behavior

Specific Behavior

Indicator of Compromise

Indicator of Compromise

Specific Behavior

Telemetry-Tainted

287

Telemetry showing the autoupdate.vbs script executed by wscript.exe

Telemetry

10

General Behavior alert for execution of autoupdate.vbs listed as an active threat

Telemetry showing wscript.exe and powershell.exe

Telemetry

General Behavior

40
12.E.1Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniques

Telemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality

Telemetry showing powershell.exe execution

Telemetry

10

Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper)

Telemetry

10

Telemetry showing the temp write of the ps1 script

Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior)

OverWatch Specific Behavior alert indicating the PowerShell script was malicious

Telemetry

Specific Behavior-Delayed

Specific Behavior-Delayed

124

Specific Behavior alert for Malicious use of PowerShell (tainted by a parent PowerShell alert)

Telemetry showing the temp write of the psm1 script module (tainted by a parent PowerShell alert)

Specific Behavior alert for a PowerShell Malicious command, identified as the Invoke-WinEnum function

Specific Behavior-Tainted

Telemetry-Tainted

64

Specific Behavior alert for \"PowerShell with Unusual Arguments\" (tagged with correct ATT&CK Technique, T1086 - PowerShell, and Tactic, Execution; tainted by parent PowerShell alerts)

Telemetry pulled by Interactive Shell showing the contents of the WinEnum script (does not count as a detection)

Telemetry showing powershell.exe execution (ID 2397532) (tainted by parent PowerShell alerts)

Specific Behavior-Tainted

Telemetry-Tainted

64

Enrichment of powershell.exe with PowerShell Execution alert (tagged with related ATT&CK Technique T1086 - PowerShell)

Excerpt from the Managed Defense Report indicating a PowerShell command was run from Empire (Specific Behavior)

Enrichment

Specific Behavior-Delayed

72

Additional telemetry showing powershell.exe execution sequence resulting from WinEnum

Telemetry showing powershell.exe execution sequence resulting from WinEnum

Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process

Specific Behavior alert for \"A malicious PowerShell Cmdlet was invoked on the machine\"

Process tree under alert \"A malicious PowerShell Cmdlet was invoked on the machine\" showing Invoke-Empire and Invoke-WinEnum

Telemetry-Tainted

Specific Behavior

67

Telemetry showing powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk (tainted by a parent alert on wscript.exe)

Specific Behavior alert for PowerShell execution with base64 encoded commands (tainted by a parent alert on wscript.exe)

Indicator of Compromise alert identifying suspicious PowerShell strings as Empire WinEnum

Telemetry-Tainted

Specific Behavior-Tainted

Indicator of Compromise

84

Telemetry showing a PowerShell script written to disk

Telemetry

10

Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Credential Dumping

Credential Access

(T1003)
5.A.1Cobalt Strike: Built-in Mimikatz credential dump capability executed

Specific Behavior alert showing correct ATT&CK Technique (Credential Dumping)

Telemetry showing cross process events, specifically a handle to open thread into lsass.exe

Telemetry

Specific Behavior

70

Alert showing DDNA Scan for svchost.exe (does not count as a detection)

Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)

Alert showing DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)

None

0

Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )

Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted

91

Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details about svchost.exe accessing lsass

Specific Behavior

60

Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)

Specific Behavior

60

None

0

Alert for suspicious process injection showing tainted association via a process tree containing svchost.exe (inner failure message in screenshot not relevant to tested functionality)

Specific Behavior alert description for sensitive credential memory read

Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe

Process tree for sensitive credential memory read alert

Enrichment-Tainted

Specific Behavior-Delayed

69

A Specific Behavior alert for a suspicious handle being opened to lsass.exe to dump password, tagged with the correct ATT&CK Technique (Credential Dumping)

Specific Behavior

60

None

0

None

0
5.A.2Cobalt Strike: Built-in hash dump capability executed

Telemetry showing cross process events, specifically a handle to open thread into lsass.exe

Telemetry

10

Telemetry showing thread create to lsass.exe (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts)

Telemetry-Tainted

7

Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )

Two Specific Behavior alerts for Credential Dumping (mapped to correct ATT&CK Technique, Credential Dumping, and Tactic, Credential Access) and General Behavior OverWatch alert

Specific Behavior-Tainted

Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted

148

Parent alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection

Telemetry showing svchost.exe process injection into lsass.exe (tainted by a parent injection alert)

Telemetry within alert showing loaded hashdumpx64.dll as floating executable code

Telemetry-Tainted

7

Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)

Specific Behavior

60

None

0

Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested functionality)

Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe

Enrichment-Tainted

12

Specific Behavior alert for svchost dumping credentials via the Registry tagged with the correct ATT&CK Technique (Credential Dumping)

Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)

Telemetry-Tainted

Specific Behavior

67

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Exfiltration Over Command and Control Channel

Exfiltration

(T1041)
9.B.1Cobalt Strike: Download capability exfiltrated data through existing C2 channel

None

0

None

0

None

0

Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)

None

0

None

0

DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)

None

0

None

0

Port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)

None

0

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Registry Run Keys / Startup Folder

Persistence

(T1060)
10.A.1Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32

Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folder

Telemetry

10

Telemetry showing cmd.exe starting rundll32.exe

Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup 

Telemetry

10

Telemetry showing cmd.exe running autoupdate.bat from Startup folder

Telemetry

10

Parent alert for Injected shellcode into rundll32.exe

Telemetry showing rundll32.exe executing autoupdate.bat from the Startup folder (tainted by a parent Injected Shellcode alert)

Telemetry-Tainted

7

Telemetry showing rundll32.exe executing update.dat (tainted by parent \"RunDLL32 with Suspicious DLL Location\" alert)

Telemetry-Tainted

7

Enrichment of cmd.exe executing from Startup with Process Execution Startup alert (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Startup Folder and Tactic, Persistence)

Telemetry showing cmd.exe executing autoupdate.bat from Startup folder

Telemetry showing rundll32.exe executing update.dat (tainted by parent Rundll32 Execution alert)

Additional details of rundll32.exe telemetry

Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior)

Enrichment

Telemetry

Telemetry-Tainted

Specific Behavior-Delayed

89

Telemetry showing Startup folder execution sequence for autoupdate.bat on user logon

Telemetry

10

Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder

Telemetry

10

Telemetry showing the execution of autoupdate.bat from the Startup Folder

Telemetry

10

Group ID query showing both autoupdate.bat and updater.dll persistence execution

Telemetry showing execution of autoupdate.bat from the Startup folder

Telemetry

10
1.B.1Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folder

Telemetry showing filemods indicating update.bat was written to the Startup folder

Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)

Telemetry

Enrichment

25

Telemetry showing autoupdate.bat created in Startup folder

Telemetry

10

Telemetry showing Registry modification related to Startup Folder

Telemetry

10

Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe)

Telemetry showing rename file event for autoupdate.bat

Telemetry-Tainted

7

\"Detected Persistence - Start Folder Persistence\" Specific Behavior alert related to autoupdate.bat (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Start Folder, and Tactic, Persistence; tainted by cmd.exe generating the alert)

Telemetry showing autoupdate.bat written to the Start Menu (tainted by parent Malicious File Detection alert)

Telemetry-Tainted

Specific Behavior-Tainted

64

Telemetry showing autoupdate.bat file written to the Startup folder

Enrichment of autoupdate.bat being written to Startup with Persistence category

Additional details on enrichment of autoupdate.dat

Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup directory (Specific Behavior)

Telemetry

Enrichment

Specific Behavior-Delayed

82

Telemetry showing write of autoupdate.bat to startup folder

Telemetry

10

Enrichment of a file being created in the Startup folder tagged with the correct ATT&CK Technique (Registry Run Keys / Start Folder) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing autoupdate.bat being moved to the user Debbie's Startup folder (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Enrichment-Tainted-Configuration Change

16

Telemetry showing cmd.exe \"rename to executable\" event for autoupdate.bat in Startup folder

Telemetry

10

Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Graphical User Interface

Execution

(T1061)
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connection

Telemetry showing mmc.exe running lusrmgr.msc

Telemetry

10

Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert)

Telemetry-Tainted

7

Telemetry showing mmc.exe running lursmgr.msc

Telemetry

10

Telemetry showing lusrmgr.msc running from mmc.exe

Telemetry

10

Telemetry showing mmc.exe running lursmgr.msc

Telemetry

10

Telemetry showing mmc.exe spawning lusrmgr.exe

Telemetry

10

Telemetry showing mmc.exe running lusrmgr.msc

Telemetry

10

Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface)

Telemetry showing lusrmgr.msc running from mmc.exe

Telemetry

Enrichment

25

None

0

None

0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Exfiltration Over Alternative Protocol

Exfiltration

(T1048)
19.C.1Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channel

Enrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol)

Telemetry from process tree showing execution of ftp.exe with command-line arguments

Telemetry

Enrichment

25

Telemetry showing powershell.exe executing ftp.exe (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry showing outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by the parent \"PowerShell executed encoded commands\" alert)

Telemetry-Tainted

7

Email excerpt sent by OverWatch team indicating they observed the collected files being exfiltrated via FTP (Specific Behavior)

OverWatch General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious (tainted by previous powershell.exe detection by red line indicating high severity)

General Behavior-Delayed-Tainted

Telemetry

Specific Behavior-Delayed

91

Enrichment of ftp.exe execution with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)

Enrichment of ftp.exe execution in process tree with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)

Continuation of enrichment of ftp.exe execution in process tree showing command-line arguments

Continuation of enrichment of ftp.exe execution showing total number of bytes transmitted

Enrichment-Tainted

Telemetry

22

Telemetry showing the ftp.exe with command-line arguments including ftp.txt and subsequent connection to 192.168.0.4 (C2 server) on port 21

Telemetry-Tainted

7

Enrichment of ftp.exe executing the ftp.txt file with FTP Utility Execution alert (tagged with the correct ATT&CK Software, S0095 - FTP)

Excerpt from the Managed Defense Report showing the writing of FTP command to ftp.txt and the subsequent execution of the ftp.txt file (Specific Behavior)

Enrichment of TCP port 21 connection to 192.168.0.4 (C2 server) (tagged with correct ATT&CK Technique, T1048 - Exfiltration Over Alternative Protocol and, Tactic, Exfiltration)

Enrichment of ftp.exe executing ftp.exe based on the use of the -s argument with FTP Utility Execution alert

Enrichment

Enrichment

Enrichment

Specific Behavior-Delayed

102

Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 21

Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 20

Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)

Telemetry-Tainted

7

Telemetry showing ftp.exe execution (tainted by a parent alert on wscript.exe)

Enrichment of ftp.exe as the execution of a CLI file transfer/copy utility (tainted by a parent alert on wscript.exe)

Telemetry showing an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

19

Telemetry showing the execution ftp.exe

Telemetry

10

Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group ID

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Security Software Discovery

Discovery

(T1063)
12.E.1.10.2Empire: WinEnum module included enumeration of firewall rules

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the Firewall Rules function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery)

Enrichment

15

None

0

None

0
12.E.1.10.1Empire: WinEnum module included enumeration of AV solutions

None

0

None

0

None

0

None

0

Interactive Shell events showing the WinEnum script and the AV Solution function (does not count as a detection due to manual process of pulling events)

None

0

None

0

None

0

Telemetry showing an event log for the WMI query of the system AV products

Telemetry

10

None

0

Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story)

Enrichment of powershell.exe with action \"attempted to find other installed security software\" (tainted Group ID not shown but was the search parameter)

Enrichment-Tainted

Telemetry-Tainted

19
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Data Compressed

Exfiltration

(T1002)
19.B.1Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected file

Enrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed)

Process tree with telemetry showing recycler.exe and command-line arguments

Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe

Telemetry

Enrichment

25

Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)

Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)

Enrichment-Tainted-Configuration Change

Telemetry-Tainted

16

Specific Behavior alert on RAR archive written (mapped to correct ATT&CK Technique, Data Compressed, and Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)

Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)

Additional details of recycler.exe from the alert showing it was signed by win.rar GmbH

Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed

124

Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)

Telemetry-Tainted

7

Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)

Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted

73

Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed)

Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

General Behavior alert for Execution from Suspicious Directory

General Behavior alert for File Write To Root Of Recycle Bin

Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)

Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)

General Behavior

Enrichment

Enrichment

General Behavior

Enrichment

Specific Behavior-Delayed

162

Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression

Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)

Telemetry-Tainted

7

Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

7

Telemetry showing execution of recycler.exe with command-line arguments

Telemetry

10

Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID

Telemetry showing the execution of recycler.exe

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Commonly Used Port

Command and Control

(T1043)
6.B.1Cobalt Strike: C2 channel modified to use port 80

Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server)

Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port)

Telemetry

Enrichment

25

Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent \"Sponsor Process Established Network Connection\" alert)

Telemetry-Tainted

7

Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)

Telemetry

10

Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner process)

Enrichment of rundll32.exe making a connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent Injected Shellcode alert)

Enrichment-Tainted

Telemetry-Tainted

19

Telemetry showing a TCP port 80 connection from rundll32.exe

Telemetry showing port 80 traffic (tainted by the parent Malicious File Detection alert)

Telemetry-Tainted

7

Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)

Telemetry showing port 80 connections to 192.168.0.4 (C2 server)

Telemetry

General Behavior-Delayed

37

Telemetry showing execution sequence for rundll32.exe opening network connection

Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection

Telemetry-Tainted

7

Telemetry showing port 80 command and control traffic

Telemetry

10

Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)

Telemetry

10

Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)

Telemetry-Tainted

7
1.C.1Cobalt Strike: C2 channel established using port 53

Telemetry showing network connection over UDP port 53

Telemetry

10

None

0

OverWatch alert showing suspicious DNS traffic (does not count as a detection)

None

0

Telemetry showing port 53 command and control traffic

Telemetry

10

None

0

Telemetry showing port 53 command and control traffic

Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior)

Telemetry

Specific Behavior-Delayed

67

Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection)

None

0

Specific Behavior alert for a scripting engine (rundll32.exe) making a network connection over DNS ports (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry showing port 53 command and control traffic (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)

Telemetry-Tainted

Specific Behavior-Tainted

64

None

0

None

0
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080

Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080

Telemetry

10

Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)

Telemetry-Tainted

7

Telemetry showing IEX connection over to 192.168.0.5 (C2 server) on TCP port 8080

Telemetry

10

Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080

Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent PowerShell alert)

Specific Behavior-Tainted

Telemetry

67

Telemetry showing decoded PowerShell with download request of wdbypass over port 8080

General Behavior alert for Command and Control associated with network traffic from PowerShell over TCP port 8080

General Behavior

Telemetry

40

Telemetry showing TCP port 8080 connection to freegoogleadsenseinfo.com (C2 domain) (tainted by parent PowerShell URL Request alert)

Excerpt from the Managed Defense Report indicating Empire communicated over port 8080 (General Behavior)

Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 8080 (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments

Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080

Telemetry-Tainted

7

Telemetry showing an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080

Telemetry

10

Telemetry of decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)

Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080

Telemetry

10

Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not shown in this view)

Telemetry-Tainted

7
11.B.1Empire: C2 channel established using port 443

Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port)

Telemetry showing network connections, including over TCP port 443

Enrichment

Telemetry

25

Telemetry showing powershell.exe making a network connection over TCP port 443

Telemetry

10

Telemetry showing powershell.exe making a network connection over port 443 (tainted by parent powershell.exe high severity alert indicated by red icon)

Telemetry-Tainted

7

Enrichment of powershell.exe making a connection over a ”HTTP Port," tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) (tainted by a parent PowerShell alert)

Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 (C2 Server) over port TCP port 443 (tainted by a parent PowerShell alert)

Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)

Enrichment-Tainted

Telemetry-Tainted

19

Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)

Telemetry showing powershell.exe making connections over port 443 (tainted by parent alert)

Specific Behavior alert for \"PowerShell Making Network Connections\" (mapped to correct ATT&CK Tactic, Command and Control)

Event tree view of Specific Behavior alert for \"Command and Control PowerShell Network\"(tainted by parent alert)

Telemetry-Tainted

Specific Behavior-Tainted

64

Excerpt from the Managed Defense Report indicating Empire communicated over port 443 (General Behavior)

Telemetry showing powershell.exe communicating over TCP port 443 (tainted by parent PowerShell Network Connection alert)

Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 443 (General Behavior)

Telemetry-Tainted

General Behavior-Delayed

34

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server)

Telemetry showing powershell.exe communicating over TCP port 443

Telemetry within alert showing decoded command-line arguments containing port 443 and tainted relationship to the powershell.exe process

Telemetry-Tainted

7

Enrichment of the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port) (tainted by a parent alert on wscript.exe)

Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe)

General Behavior alerts for PowerShell making network connections to the internet as well as Wscript connecting to an external network (tainted by a parent alert on wscript.exe)

Telemetry-Tainted

Enrichment-Tainted

General Behavior-Tainted

46

Telemetry showing network connections, including over port 443 (does not count as a detection)

None

0

Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was not shown in this view)

Telemetry-Tainted

7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
Accessibility Features

Persistence, Privilege Escalation

(T1015)
17.C.1Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exe

Specific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibility Features)

Telemetry showing creation and file write replacing magnify.exe in the system directory

Telemetry

Specific Behavior

70

Telemetry showing copy of cmd.exe to magnify.exe in the system directory (tainted by the parent \"New Windows service created\" alert)

Enrichment showing powershell.exe creating and writing magnify.exe (enriched with condition \"Creation of Sticky Keys File\", tainted by the parent \"New Windows service created\" alert)

Enrichment-Tainted-Configuration Change

Telemetry-Tainted

16

Additional view of telemetry showing the magnify.exe file write

Telemetry showing file write of magnify.exe by powershell.exe (tainted by parent powershell.exe high severity alert indicated by red icon)

Telemetry-Tainted

7

Telemetry showing creation and write events for magnify.exe (tainted by a parent PowerShell alert, listed as Owner process)

Telemetry-Tainted

7

Enriched event tree showing enrichment of magnify.exe overwrite with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe, tree is initially available unenriched to show the base telemetry)

Specific Behavior alert on overwrite of magnify.exe named \"Persistence-Accessibility Features\" tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe)

Specific Behavior

Telemetry-Tainted

Enrichment-Delayed-Tainted

76

Specific Behavior alert on overwrite of magnify.exe for Suspicious Accessibility Features Replacement (BACKDOOR) (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)

Excerpt from the Managed Defense Report indicating the attacker overwrote magnifier.exe (Specific Behavior)

Specific Behavior alert on overwrite of the magnify.exe for Accessibility Feature File Write (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)

Specific Behavior

Specific Behavior

Specific Behavior-Delayed

177

Telemetry showing overwrite of magnify.exe

Binary metadata and reputation information showing magnify.exe is cmd.exe due to names observed and common hash

Specific Behavior alert on sticky keys binary hijack for persistence when magnify.exe was overwritten

Telemetry

Specific Behavior

70

Telemetry showing change in the hash of magnify.exe

Telemetry showing file write events overwriting magnify.exe in the system directory (tainted by a parent alert on cmd.exe)

Telemetry-Tainted

7

Magnify.exe hash matches cmd.exe (top two hashes in Tracking pane, file names and full hash values cut off)

Telemetry showing file write to magnify.exe in the system directory

Telemetry

10

Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lateral movement threat story; Group ID not shown in this view)

Telemetry-Tainted

7
20.A.1magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)

Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe showing red severity scores

Telemetry from process tree telemetry showing magnify.exe execution

Telemetry

Specific Behavior

General Behavior

General Behavior

130

Telemetry showing magnify.exe (tainted by the parent POS Interactive Login Event alert)

Telemetry-Tainted

7

Email excerpt from the OverWatch team indicating they observed a Windows logon bypass (General Behavior)

File details of magnify.exe in Accessibility Features Specific Behavior alert identifying it as cmd.exe by hash and common name

Specific Behavior alert showing magnify.exe executing from utilman.exe (mapped to correct ATT&CK Technique, Accessibility Features, and Tactic, Persistence; pink indicates critical severity)

Specific Behavior

Telemetry

General Behavior-Delayed

97

Specific Behavior alert for magnify.exe, in process tree, masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)

Specific Behavior alert for magnify.exe masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)

Specific Behavior

Telemetry

70

Specific Behavior alert on Windows File Name Mismatch showing magnify.exe was renamed from cmd.exe and tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution)

Enrichment of magnify.exe with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry)

Specific Behavior

Telemetry-Tainted

Enrichment-Delayed-Tainted

76

General Behavior alert for RENAMED CMD.EXE

Excerpt from the Managed Defense Report indicating the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell (Specific Behavior)

Specific Behavior alert for Accessibility Features Child Process due to magnify.exe spawning whoami.exe (tagged with the correct ATT&CK Technique, T1015 - Accessibility Features, and Tactics, Persistence, Privilege Escalation)

Continued details for General Behavior alert for RENAMED CMD.EXE

General Behavior

Specific Behavior

Specific Behavior-Delayed

147

Telemetry showing sequence of magnify.exe executing from utilman.exe

Specific Behavior alert on sticky keys binary hijack of magnify.exe

Telemetry

Specific Behavior

70

Telemetry showing magnify.exe executing from utilman.exe

Telemetry

10

Telemetry showing magnify.exe execution

Telemetry

10

Telemetry showing magnify.exe execution (identified as Windows Command Processor)

Telemetry

10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameFireEyeMicrosoftPaloAltoNetworksRSASentinelOne
TOTAL SCORE28101173446726482971526226013611775862