Sunday, December 2, 2018

MITRE оценила EDR

На днях оно свершилось! MITRE опубликовала результаты оценки EDR по своей матрице ATT&CK.
Надо отметить, что это очень занятное чтение для всех: производители EDR и поставщики услуг MDR могут черпать идеи для развития своих предложений, а заказчики - выбрать решение наиболее для них подходящее.
Результаты приводятся независимо друг от друга, причем MITRE в описании условий теста явно подчеркивает, что взаимного сравнения делать умышленно не будет. Однако, и за это надо отдать им должное, коллеги из MITRE сделали все, чтобы взаимное сравнение было несложно провести самостоятельно - наряду с человекочитаемыми табличками (например, для Cb) все результаты тестов приведены в машиночитаемом формате (например, для того же Cb).

Ну конечно же я не смог удержаться и написал небольшой скриптик, отрисовывающий сводную табличку о том, как тестируемые вендоры детектят тестовые техники, которую я привожу в конце этой заметки.
Моя оценка не лишена субъективизма, но код свободно доступен и каждый может его подстроить под свое чувство справедливости. Но поясню свои доводы.

Наиболее важным моментом во всей оценке являются виды выдаваемых детектов, подробно описанные здесь. Для взаимной оценки я оснастил детекты числовыми весами:

  • None - EDR ничего не заметил, нет даже телеметрии на базе которой можно было бы сделать детект - 0
  • Telemetry - были зафиксированы только сырые события - ищи, мол, аналитик в миллиардах событий атаки глазами - 10
  • Enrichment - сырые события были обогащены дополнительной информацией, полезной аналитику при расследовании - немного лучше, чем сыряк, поэтому только 15
  • Indicator of compromise - сырые события проверены по какому-либо ThreatIntel-у и совпадения показаны аналитику - ну хотя бы детект по статическим IoC-ам - не особо прогрессивно, поэтому только 20
  • General behavior - общий поведенческий детект - обнаружение действий атакующего с точностью до тактики - уже немного поведения, но очень общо, поэтому только 30
  • Specific behavior - обнаружение применения конкретной техники - то, что нужно - максимальные 60 очков

Кроме описанных основных типов детекта MITRE вводит еще модификаторы, позволяющие немного глубже судить о качестве конкретного основного детекта:
  • Delayed - детект выдан с ощутимой задержкой - на мой взгляд, это плохо и за это я снимаю 5 баллов
  • Tainted - текущий детект учитывает связь с предыдущими детектами - на мой взгляд, это хорошо, поэтому за это я добавляю 5 очков
  • Configuration change - детект появляется при изменении конфигурации по сравнению с первоначальной - здесь я снова считаю, что это плохо, поэтому снижаю оценку на 5.
Кроме цифр, табличка еще раскрашена. Цветовая градация следующая:
  • меньше 10 очков за технику - означает, что детекта нет и нет даже телеметрии, чтобы его сделать - это очень плохо, поэтому цвет красный
  • от 10 до 29 - означает, что есть телеметрия и она как-то размечается. На мой взгляд, это не сильное подспорье аналитику, так как поведенческого детекта нет, а статическими индикаторами (какое бы несметное количество фидов вы не мэтчили) активный поиск угроз (== Threat hunting) не сделать
  • от 30 до 59 означает, что продукт реализует общую логику обнаружения по поведению, хотя бы на уровне тактики. Это уже лучше, чем предыдущие варианты с разметкой тупыми индикаторами, но все же пока не то, что надо, так как сильная обобщенность детекта взваливает большой пласт ручной работы на плечи аналитика
  • больше 59 - означает, что для техники есть хотя бы один хорошо работающий детект Specific berhavior, а значит данная техника обнаруживается по характирному поведению - это как раз и есть, то, что я называю "TTP-based" детект.
Любое объяснение почему такие баллы не будет держать критики, однако, любой читатель заметки может проставить их на свое усмотрение, а также изменить метод их подсчета. Я руководствовался тем, что наивысший балл за технику должен получать тот, кто смог определить эту конкретную технику по поведению,  поэтому разрыв между Specific behavior (60) и Indicator of compromise (20) - очень большой, чтобы снизить риск когда отсутствие TTP-base детекта может компенсироваться наличием пары индикаторов. Читатель может увеличить этот разрыв еще больше, давая за Specific behavior, скажем, 90, вместо 60, или оценивая в вендорах только наличие TTP-based детектов, проставляя за все остальное нули.

Проблем у данного сравнения можно найти много (== путей его совершенствования) и я сам до сих пор упражняюсь с тем, что меняю баллы и метод суммирования, в частности: 
  • можно ввести веса для техник, тогда вендор, детектирующий "более важные" техники получит лучшие оценки, но такую градацию не сделать с полпинка, если этим не заниматься глубоко (у нас постоянно ведется некоторая работа по приоритезации детектов - они у нас называются "хантами", - когда-нибудь постараюсь найти время и поделиться этим, поскольку вопрос связан с приоритезацией инцидентов и важен)
  • можно добавить "мета-вендора", который соберет все лучшие детекты для каждой техники из сравниваемых решений, а каждого вендора сравнивать в процентах от детекта, выдаваемого "мета-вендором"
  • и пр...
В любом случае, лично мне эта разработка помогла посмотреть в общем на результаты тестирования, подсветить сильные и слабые стороны каждого вендора в сравнении с конкурентами. 
Когда-то, у моих прошлых работодателей, я занимался выбором различных решений по безопасности. В целом, ничего невероятного - я разворачивал всех претендентов в лабораториях, разрабатывал тест-планы и методики выбора победителя. Мы собирались комиссией из состава проектной команды, проходили тест-планы, фиксировали результаты, подсчитывали очки. Данное тестирование MITRE значительно сократило нам путь оценки EDR и остается только обработать результат, что я и попытался сделать в этом небольшом исследовании, за что не будет лишним в очередной раз поблагодарить MITRE.


TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Query Registry

Discovery

(T1012)
12.E.1.7Empire: WinEnum module included enumeration of system information via a Registry queryNone0None0Telemetry10None0None0None0None0
13.C.1Empire: 'reg query' via PowerShell to enumerate a specific Registry keyTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed
70Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.H.1Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry keyTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry-Tainted15Telemetry10Telemetry-Tainted15
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry keyTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
6.A.1Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)Telemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed-Tainted
45Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Command-Line Interface

Execution

(T1059)
2.B.1None0None0None0None0None0None0None0
2.A.2None0None0None0None0None0None0None0
2.D.2None0None0None0None0None0None0None0
2.D.1None0None0None0None0None0None0None0
2.A.1None0None0None0None0None0None0None0
2.E.2None0None0None0None0None0None0None0
2.E.1None0None0None0None0None0None0None0
16.F.1Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick Telemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted15Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
50Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.F.1None0None0None0None0None0None0None0
2.F.3None0None0None0None0None0None0None0
2.C.2 None0None0None0None0None0None0None0
2.G.1None0None0None0None0None0None0None0
2.G.2None0None0None0None0None0None0None0
2.F.2None0None0None0None0None0None0None0
7.C.1None0None0None0None0None0None0None0
8.A.1None0None0None0None0Telemetry10None0None0
8.A.2None0None0None0None0None0None0None0
2.H.1None0None0None0None0None0None0None0
4.A.2None0None0None0None0None0None0None0
6.A.1None0None0None0None0None0None0None0
4.A.1None0None0None0None0None0None0None0
4.B.1None0None0None0None0Telemetry10None0None0
4.C.1None0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
System Service Discovery

Discovery

(T1007)
12.D.1Empire: 'net start' via PowerShellTelemetry10Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal servicesTelemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
16.J.1Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)Telemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.D.2Cobalt Strike: 'net start' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.D.1Cobalt Strike: 'sc query' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
12.E.1.8Empire: WinEnum module included enumeration of servicesNone0None0None0None0Telemetry10None0None0
16.H.1Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)Telemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
File Permissions Modification

Defense Evasion

(T1222)
17.B.1Empire: 'takeown' via PowerShell to obtain ownership of magnify.exeTelemetry

Enrichment-Configuration Change
20Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Enrichment-Tainted20
17.B.2Empire: 'icacls' via PowerShell to modify the DACL for magnify.exeTelemetry

Enrichment-Configuration Change
20Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Masquerading

Defense Evasion

(T1036)
19.A.1Empire: File dropped to disk is a renamed copy of the WinRAR binaryTelemetry10None0Telemetry10None0Telemetry10None0Telemetry-Tainted15
16.I.1Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)Telemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
19.B.1Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binaryTelemetry

Specific Behavior
70Enrichment-Tainted-Configuration Change

Telemetry-Tainted
30Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed
130Specific Behavior-Tainted

Telemetry-Tainted
80Telemetry-Tainted15Telemetry10Enrichment-Tainted20
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Service Execution

Execution

(T1035)
16.L.1Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)Telemetry10Telemetry-Tainted15Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior
90Telemetry-Tainted

Specific Behavior
75Telemetry10Telemetry-Tainted

General Behavior
45
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
System Owner/User Discovery

Discovery

(T1033)
2.B.1Cobalt Strike: 'echo' via cmd to enumerate specific environment variablesTelemetry10Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry-Tainted15Telemetry10Telemetry-Tainted15
20.B.1Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)Telemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted15Telemetry10Enrichment15
12.B.1Empire: 'whoami /all /fo list' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15General Behavior-Delayed-Tainted

Telemetry

General Behavior-Delayed
65Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
12.E.1.1Empire: WinEnum module included enumeration of user informationNone0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Standard Cryptographic Protocol

Command and Control

(T1032)
11.B.1Empire: Encrypted C2 channel established using HTTPSTelemetry10None0None0Telemetry-Tainted15Telemetry-Tainted15None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Password Policy Discovery

Discovery

(T1201)
12.E.1.3Empire: WinEnum module included enumeration of password policy informationNone0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
System Network Configuration Discovery

Discovery

(T1016)
12.A.2Empire: 'ipconfig /all' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
4.B.1Cobalt Strike: 'netsh advfirewall show allprofiles' via cmdTelemetry

Enrichment
25Telemetry-Tainted15General Behavior-Delayed

Telemetry

General Behavior-Delayed
60Telemetry10Telemetry-Tainted15Telemetry10Telemetry-Tainted15
12.A.1Empire: 'route print' via PowerShellTelemetry10Enrichment-Tainted20Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.A.2Cobalt Strike: 'arp -a' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
2.A.1Cobalt Strike: 'ipconfig /all' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40General Behavior-Tainted

Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
75Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
12.E.1.11Empire: WinEnum module included enumeration of network adaptersNone0None0None0None0Telemetry10None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
User Execution

Execution

(T1204)
1.A.1Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)Telemetry

General Behavior
40Telemetry-Tainted15General Behavior

Telemetry
40General Behavior

Telemetry-Tainted
45Telemetry10Telemetry10Telemetry

General Behavior
40
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Data from Network Shared Drive

collection

(T1039)
18.B.1Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None0Telemetry-Tainted15None0None0None0None0Telemetry-Tainted15
9.B.1Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None0None0None0None0None0None0Telemetry10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Process Injection

Defense Evasion, Privilege Escalation

(T1055)
3.C.1Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exeTelemetry

Specific Behavior
70Specific Behavior-Tainted65Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted
105Specific Behavior60Enrichment-Tainted

Specific Behavior-Delayed
75Telemetry10Telemetry-Tainted15
8.D.1Cobalt Strike: Screen capture capability involved process injection into explorer.exeTelemetry10Telemetry10Telemetry10Specific Behavior-Tainted65Enrichment15None0Telemetry-Tainted15
5.A.1Cobalt Strike: Credential dump capability involved process injection into lsassTelemetry10General Behavior30Enrichment15Telemetry10Telemetry-Tainted

Specific Behavior-Delayed
70None0None0
5.A.2Cobalt Strike: Hash dump capability involved process injection into lsass.exeTelemetry

Specific Behavior
70Specific Behavior-Tainted

General Behavior
95Enrichment15Telemetry-Tainted

Specific Behavior
75Telemetry-Tainted

Specific Behavior-Delayed
70None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Remote System Discovery

Discovery

(T1018)
13.A.1Empire: 'net group "Domain Computers" /domain' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

Enrichment-Tainted

General Behavior-Delayed
60Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
4.A.1Cobalt Strike: 'net group "Domain Controllers" /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Enrichment

Telemetry

General Behavior-Delayed

General Behavior-Delayed
75Telemetry

Enrichment-Delayed
20Telemetry-Tainted15Telemetry10Telemetry-Tainted15
4.A.2Cobalt Strike: 'net group "Domain Computers" /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Enrichment

Telemetry

General Behavior-Delayed

General Behavior-Delayed
75Telemetry

Enrichment-Delayed
20Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Standard Application Layer Protocol

Command and Control

(T1071)
6.B.1Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.comTelemetry10Telemetry10None0None0None0None0None0
1.C.1Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.comNone0Telemetry10Specific Behavior

General Behavior-Delayed

Telemetry

Specific Behavior-Delayed
150Telemetry-Tainted15Telemetry-Configuration Change5None0Telemetry-Tainted15
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTPNone0Telemetry-Tainted15None0Telemetry10Telemetry-Tainted15None0None0
11.B.1Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.comTelemetry10None0None0Telemetry-Tainted15Telemetry-Tainted

Indicator of Compromise-Configuration Change
30Telemetry10None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Network Share Discovery

Discovery

(T1135)
12.E.1.9.2Empire: WinEnum module included enumeration of mapped network drivesNone0None0None0None0None0None0Telemetry-Tainted15
12.E.1.9.1Empire: WinEnum module included enumeration of available sharesNone0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Data Encoding

Command and Control

(T1132)
1.C.1Cobalt Strike: C2 channel established using both NetBIOS and base64 encodingNone0None0Telemetry-Tainted15None0None0None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Remote Desktop Protocol

Lateral Movement

(T1076)
20.A.1RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanismNone0Telemetry10Telemetry10Telemetry10Telemetry10None0None0
6.C.1Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)Telemetry

Enrichment
25Enrichment-Tainted-Configuration Change

Telemetry
25Telemetry

General Behavior-Delayed
35Telemetry-Tainted15Telemetry10Telemetry10Telemetry-Tainted15
10.B.1RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanismTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry

General Behavior-Delayed
35Telemetry10Telemetry10None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Scheduled Task

Execution, Persistence, Privilege Escalation

(T1053)
10.A.2Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32Telemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry10Telemetry10
7.C.1Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)Telemetry

Specific Behavior
70Specific Behavior

Telemetry
70Telemetry

General Behavior-Delayed-Tainted

Specific Behavior-Delayed
95Enrichment

Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior-Tainted
110Telemetry

Specific Behavior-Delayed
65Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Data Staged

collection

(T1074)
18.B.1Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)Telemetry

Specific Behavior
70Telemetry-Tainted15Telemetry

Specific Behavior-Delayed
65Telemetry-Tainted15None0None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Application Window Discovery

Discovery

(T1010)
8.C.1Cobalt Strike: Keylogging capability included residual enumeration of application windowsNone0None0None0None0None0None0None0
15.A.1Empire: Built-in keylogging module included residual enumeration of application windowsNone0None0Telemetry10None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

(T1078)
16.B.1Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user KmitnickTelemetry10Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed-Tainted
45Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
50Telemetry-Tainted15Telemetry10Telemetry-Tainted15
10.B.1RDP connection to Conficker (10.0.0.5) authenticated using previously added user JesseTelemetry

Enrichment
25Telemetry10Telemetry10Telemetry-Tainted15Telemetry10Telemetry10Telemetry10
16.D.1Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user KmitnickTelemetry10Telemetry-Tainted15Telemetry-Tainted15Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
50Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Brute Force

Credential Access

(T1110)
16.B.1Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password sprayingTelemetry

Enrichment-Configuration Change
20Enrichment-Tainted

Telemetry-Tainted
35Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed
70Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
50Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry10Telemetry-Tainted15
16.A.1Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and FriedaTelemetry

Enrichment-Configuration Change
20Enrichment-Tainted20Telemetry

General Behavior-Delayed-Tainted

General Behavior-Delayed
65Enrichment-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
50Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Screen Capture

Collection

(T1113)
8.D.1Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user DebbieNone0None0None0None0Enrichment-Configuration Change10None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Create Account

Persistence

(T1136)
7.A.1Added user Jesse to Conficker (10.0.0.5) through RDP connectionTelemetry

Enrichment-Configuration Change
20Specific Behavior-Configuration Change55Telemetry10None0Telemetry-Configuration Change5None0Telemetry10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
System Information Discovery

Discovery

(T1082)
2.E.2Cobalt Strike: 'net config workstation' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry-Tainted15Telemetry10Telemetry-Tainted15
2.E.1Cobalt Strike: 'systeminfo' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed

General Behavior-Delayed
65Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
12.E.1.6.1Empire: WinEnum module included enumeration of system informationNone0None0Telemetry10None0Telemetry10None0Telemetry-Tainted15
12.E.1.6.2Empire: WinEnum module included enumeration of Windows update informationNone0None0None0None0Telemetry10None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
File and Directory Discovery

Discovery

(T1083)
18.A.1Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)None0None0None0None0Telemetry10None0None0
8.A.1Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
8.A.2Cobalt Strike: 'tree "C:\Users\debbie"' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed
70Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted15Telemetry10Telemetry-Tainted15
12.E.1.4.2Empire: WinEnum module included enumeration of interesting filesNone0None0None0None0None0None0None0
12.E.1.4.1Empire: WinEnum module included enumeration of recently opened filesNone0None0None0None0None0None0None0
9.A.1Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)None0None0None0None0None0None0None0
16.K.1Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)None0None0None0None0None0None0Telemetry10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Credentials in Files

Credential Access

(T1081)
15.B.1Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None0None0Telemetry

Specific Behavior-Delayed
65None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
PowerShell

Execution

(T1086)
13.C.1None0None0None0None0None0None0None0
12.F.1None0None0None0None0None0None0None0
17.B.1None0None0None0None0None0None0None0
17.B.2None0None0None0None0None0None0None0
12.F.2None0None0None0None0None0None0None0
17.C.1None0None0None0None0None0None0None0
12.G.1None0None0None0None0None0None0None0
12.G.2None0None0None0None0Telemetry10None0None0
12.D.1None0None0None0None0None0None0None0
18.A.1None0None0None0None0None0None0None0
12.E.1None0None0None0None0None0None0None0
12.C.1None0None0None0None0None0None0None0
12.B.1None0None0None0None0None0None0None0
18.B.1None0None0None0None0None0None0None0
17.A.1None0None0None0None0None0None0None0
16.K.1None0None0None0None0None0None0None0
11.A.1None0None0None0None0None0None0None0
16.H.1None0None0None0None0None0None0None0
12.A.2None0None0None0None0None0None0None0
19.D.1None0None0None0None0Telemetry10None0None0
19.D.2None0None0None0None0None0None0None0
12.A.1None0None0None0None0None0None0None0
16.I.1None0None0None0None0None0None0None0
16.J.1None0None0None0None0None0None0None0
15.B.1None0None0None0None0None0None0None0
13.B.1None0None0None0None0None0None0None0
13.B.2None0None0None0None0None0None0None0
13.A.1None0None0None0None0None0None0None0
16.L.1None0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Account Discovery

Discovery

(T1087)
2.G.2Cobalt Strike: 'net user george /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
12.G.1Empire: 'net user' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted20Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
12.G.2Empire: 'net user /domain' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted20Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted

General Behavior-Delayed

Specific Behavior-Delayed
95Telemetry10Telemetry-Tainted15
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account informationTelemetry10Telemetry-Tainted15Telemetry10Telemetry10Telemetry10None0None0
2.G.1Cobalt Strike: 'net user /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted20Telemetry-Tainted15Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Rundll32

Defense Evasion, Execution

(T1085)
1.A.1Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32Telemetry

Enrichment
25Telemetry-Tainted15Specific Behavior

General Behavior-Delayed

Telemetry
95Telemetry-Tainted

Specific Behavior-Tainted
80Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
System Network Connections Discovery

Discovery

(T1049)
12.E.1.12Empire: WinEnum module included enumeration of established network connectionsTelemetry

Enrichment
25None0Telemetry-Tainted15Telemetry-Tainted

Enrichment-Tainted-Delayed
30Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
13.B.1Empire: 'net use' via PowerShellEnrichment

Telemetry
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
13.B.2Empire: 'netstat -ano' via PowerShellTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Delayed-Tainted
30Telemetry-Tainted

General Behavior-Delayed
40None0Telemetry-Tainted15
4.C.1Cobalt Strike: 'netstat -ano' via cmdTelemetry

Enrichment
25Telemetry-Tainted15General Behavior-Delayed

Telemetry

General Behavior-Delayed
60Telemetry

Enrichment-Delayed
20Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Bypass User Account Control

Defense Evasion, Privilege Escalation

(T1088)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity levelNone0None0Telemetry10Telemetry10Telemetry-Tainted15None0Telemetry10
14.A.1Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity levelNone0None0Telemetry

Specific Behavior-Delayed
65Telemetry10Telemetry-Tainted15None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Process Discovery

Discovery

(T1057)
2.C.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone0None0None0None0None0None0None0
2.C.2 Cobalt Strike: 'tasklist /v' via cmdTelemetry

Enrichment
25Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

General Behavior-Configuration Change-Delayed-Tainted
40Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
3.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone0None0None0None0None0None0None0
8.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone0None0None0None0None0None0None0
12.C.1Empire: 'qprocess *' via PowerShellTelemetry

Enrichment
25Telemetry-Tainted15General Behavior-Delayed-Tainted

Telemetry

General Behavior-Delayed
65Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Data Encrypted

Exfiltration

(T1022)
19.B.1Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected fileTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change

Telemetry-Tainted
30Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed
130Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Input Capture

collection, Credential Access

(T1056)
8.C.1Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user DebbieNone0None0None0None0Telemetry-Configuration Change

Specific Behavior-Delayed
60None0Telemetry-Tainted15
15.A.1Empire: Built-in keylogging module executed to capture keystrokes of user BobTelemetry

Enrichment
25None0Telemetry

General Behavior-Delayed
35None0Telemetry-Tainted

Specific Behavior-Delayed
70None0Enrichment-Tainted20
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Multiband Communication

Command and Control

(T1026)
6.B.1Cobalt Strike: C2 channel modified to split communications between both HTTP and DNSTelemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Windows Admin Shares

Lateral Movement

(T1077)
16.B.1Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5) Telemetry

Specific Behavior
70Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed-Tainted

General Behavior-Delayed
70Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry10Telemetry-Tainted15
16.D.1Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)Telemetry

Specific Behavior
70Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted15Telemetry10Telemetry-Tainted15
16.A.1Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)Telemetry

Specific Behavior
70Enrichment-Tainted20Telemetry

General Behavior-Delayed-Tainted

General Behavior-Delayed
65Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted

Specific Behavior-Delayed
70Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Clipboard Data

collection

(T1115)
12.E.1.5Empire: WinEnum module included enumeration of clipboard contentsNone0None0None0Telemetry-Tainted15None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
New Service

Persistence, Privilege Escalation

(T1050)
16.I.1Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)Telemetry

Specific Behavior
70Telemetry-Tainted

Specific Behavior-Configuration Change
70Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Delayed-Tainted

Specific Behavior
90Telemetry-Tainted

Specific Behavior
75Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Permission Groups Discovery

Discovery

(T1069)
12.E.1.2Empire: WinEnum module included enumeration of AD group membershipsNone0None0None0None0None0None0None0
12.F.1Empire: 'net group "Domain Admins" /domain' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

Enrichment-Tainted

General Behavior-Delayed
60Telemetry-Tainted

Enrichment-Tainted-Delayed

Enrichment-Tainted
50Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
12.F.2Empire: 'net localgroup administrators' via PowerShellTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Tainted-Delayed

Enrichment-Tainted
50Telemetry-Tainted

General Behavior-Delayed
40Telemetry10Telemetry-Tainted15
2.F.1Cobalt Strike: 'net localgroup administrators' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed

General Behavior-Delayed
65Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted
60Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
2.F.3Cobalt Strike: 'net group "Domain Admins" /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Enrichment-Tainted

Telemetry-Tainted

General Behavior-Delayed
60Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted
60Telemetry

General Behavior-Delayed
35Telemetry

Enrichment
25Telemetry-Tainted15
2.F.2Cobalt Strike: 'net localgroup administrators /domain' via cmdTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted

Enrichment-Tainted

General Behavior-Configuration Change-Delayed-Tainted
60Telemetry

General Behavior-Delayed
35Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
File Deletion

Defense Evasion

(T1107)
19.D.1Empire: 'del C:\"$"Recycle.bin\old.rar'Telemetry10Telemetry-Tainted15Telemetry

Specific Behavior-Delayed
65None0None0None0Telemetry-Tainted15
19.D.2Empire: 'del recycler.exe'Telemetry10Telemetry-Tainted15Telemetry

Specific Behavior-Delayed
65Telemetry10None0None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Execution through API

Execution

(T1106)
8.C.1None0None0None0None0None0None0None0
3.B.1None0None0None0None0None0None0None0
8.B.1None0None0None0None0None0None0None0
9.B.1None0None0None0None0None0None0None0
8.D.1None0None0None0None0None0None0None0
9.A.1None0None0None0None0None0None0None0
2.C.1None0None0None0None0None0None0None0
12.E.1None0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Remote File Copy

Command and Control, Lateral Movement

(T1105)
19.A.1Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)Telemetry10General Behavior-Configuration Change

Telemetry-Tainted
40Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
7.B.1Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)Telemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry10Telemetry-Tainted15
16.E.1Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)Telemetry10Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
14.A.1Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to diskTelemetry10Telemetry-Tainted15Specific Behavior-Delayed55Telemetry10Telemetry-Tainted15None0None0
16.G.1Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)Telemetry10Enrichment-Tainted-Configuration Change15Telemetry10Telemetry10Telemetry-Tainted15None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Access Token Manipulation

Defense Evasion, Privilege Escalation

(T1134)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process tokenTelemetry10None0None0Telemetry10Telemetry-Tainted15None0None0
5.B.1Cobalt Strike: Built-in token theft capability executed to change user context to GeorgeTelemetry10None0Telemetry10Specific Behavior

Telemetry-Tainted
75Telemetry-Tainted15None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Scripting

Defense Evasion, Execution

(T1064)
1.A.1Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)Telemetry

Enrichment
25Telemetry-Tainted15General Behavior-Delayed

Telemetry
35Telemetry-Tainted15Telemetry10None0Telemetry-Tainted15
11.A.1Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)Enrichment

Telemetry

Specific Behavior

Specific Behavior
145Telemetry-Tainted15Specific Behavior

General Behavior-Delayed

Telemetry

Specific Behavior-Delayed
150Specific Behavior

Telemetry-Tainted

Specific Behavior
135Telemetry

Specific Behavior

Specific Behavior-Delayed

Specific Behavior
185Telemetry10Telemetry

General Behavior
40
12.E.1Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniquesTelemetry10Telemetry10Telemetry

Specific Behavior-Delayed

Specific Behavior-Delayed
120Specific Behavior-Tainted

Telemetry-Tainted
80Telemetry-Tainted

Specific Behavior
75Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Credential Dumping

Credential Access

(T1003)
5.A.1Cobalt Strike: Built-in Mimikatz credential dump capability executedTelemetry

Specific Behavior
70None0Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted
105Specific Behavior60Enrichment-Tainted

Specific Behavior-Delayed
75None0None0
5.A.2Cobalt Strike: Built-in hash dump capability executedTelemetry10Telemetry-Tainted15Specific Behavior-Tainted

Specific Behavior-Tainted

Telemetry

General Behavior-Delayed-Tainted
170Specific Behavior60Enrichment-Tainted20None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Exfiltration Over Command and Control Channel

Exfiltration

(T1041)
9.B.1Cobalt Strike: Download capability exfiltrated data through existing C2 channelNone0None0None0None0None0None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Registry Run Keys / Startup Folder

Persistence

(T1060)
10.A.1Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32Telemetry10Telemetry10Telemetry10Telemetry-Tainted15Telemetry10Telemetry10Telemetry10
1.B.1Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folderTelemetry

Enrichment
25Telemetry10Telemetry10Telemetry-Tainted

Specific Behavior-Tainted
80Telemetry10Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Graphical User Interface

Execution

(T1061)
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connectionTelemetry10Telemetry-Tainted15Telemetry10Telemetry10Telemetry10None0None0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Exfiltration Over Alternative Protocol

Exfiltration

(T1048)
19.C.1Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channelTelemetry

Enrichment
25Telemetry-Tainted15General Behavior-Delayed-Tainted

Telemetry

Specific Behavior-Delayed
95Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Security Software Discovery

Discovery

(T1063)
12.E.1.10.2Empire: WinEnum module included enumeration of firewall rulesNone0None0None0None0None0None0None0
12.E.1.10.1Empire: WinEnum module included enumeration of AV solutionsNone0None0None0None0None0None0Enrichment-Tainted

Telemetry-Tainted
35
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Data Compressed

Exfiltration

(T1002)
19.B.1Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected fileTelemetry

Enrichment
25Enrichment-Tainted-Configuration Change

Telemetry-Tainted
30Specific Behavior-Tainted

Telemetry

Specific Behavior-Delayed
130Specific Behavior-Tainted

Telemetry-Tainted

Enrichment-Delayed-Tainted
95Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Network Share Connection Removal

Defense Evasion

(T1126)
16.C.1Empire: 'net use /delete' via PowerShellTelemetry

Specific Behavior
70Telemetry-Tainted15Telemetry-Tainted

General Behavior-Delayed
40Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Commonly Used Port

Command and Control

(T1043)
6.B.1Cobalt Strike: C2 channel modified to use port 80Telemetry

Enrichment
25Telemetry-Tainted15Telemetry10Telemetry-Tainted15Telemetry-Tainted15Telemetry10Telemetry-Tainted15
1.C.1Cobalt Strike: C2 channel established using port 53Telemetry10None0None0None0None0None0None0
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080Telemetry10Telemetry-Tainted15Telemetry10General Behavior

Telemetry
40Telemetry-Tainted15Telemetry10Telemetry-Tainted15
11.B.1Empire: C2 channel established using port 443Enrichment

Telemetry
25Telemetry10Telemetry-Tainted15Telemetry-Tainted

Specific Behavior-Tainted
80Telemetry-Tainted15None0Telemetry-Tainted15
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
Accessibility Features

Persistence, Privilege Escalation

(T1015)
17.C.1Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exeTelemetry

Specific Behavior
70Enrichment-Tainted-Configuration Change

Telemetry-Tainted
30Telemetry-Tainted15Specific Behavior

Telemetry-Tainted

Enrichment-Delayed-Tainted
90Telemetry

Specific Behavior
70Telemetry10Telemetry-Tainted15
20.A.1magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)Telemetry

Specific Behavior

General Behavior

General Behavior
130Telemetry-Tainted15Specific Behavior

Telemetry

General Behavior-Delayed
95Specific Behavior

Telemetry-Tainted

Enrichment-Delayed-Tainted
90Telemetry

Specific Behavior
70Telemetry10Telemetry10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeEndgameMicrosoftRSASentinelOne
TOTAL SCORE280018354925404531257751590



1 comment:

Дмитрий said...

Спасибо, интересная картина получилась.