Saturday, February 23, 2019

MITRE оценила EDR, продолжение

Ранее мы уже пытались сравнивать возможности различных решений на базе теста MITRE, но намедни были опубликованы еще результаты от FireEye и Cybereason. Каждый из вендоров, конечно же, сразу после прохождения теста опубликовал (раз, два), что он самый лучший, что еще больше подстегнуло желание вернуться к теме.

Как раньше отмечалось, баллами за виды детектов можно играться бесконечно, поэтому логику оценки оставил как есть, тем более, что баллы, может быть, не столь уж и важны, по сравнению с возможностью увидеть, так сказать, в одной строчке, какие виды детектов выдает какое решение для конкретной реализации конкретной техники (== процедуры).
В прошлой табличке мне не хватало возможности увидеть сразу и скриншоты интерфейсов, с изображениями соответствующего детекта, а дописать все руки не доходили. В этот раз руки дошли и, на мой взгляд, табличка получилась более удобной.

Напомню, что скриптик, генерящий эту сравнительную табличку из MR-результатов теста доступен на git. Там же лежит и эта табличка в файлике out.html, где ее удобно будет смотреть (здесь, в заметке, она выглядит весьма непривлекательно)

Любопытно, что в этой серии тестов были добавлены новые процедуры, которых не проверялись у предыдущих вендоров - это в табличке выделено фиолетовым цветом с пометкой Not tested







TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Query Registry

Discovery

(T1012)
12.E.1.7Empire: WinEnum module included enumeration of system information via a Registry queryNone
0
None
0
Telemetry showing the Get-Sysinfo functionTelemetry
10
None
0
Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfo
Enrichment of the enumeration of system information via a Registry query as suspicious (tainted by a parent alert on wscript.exe)
Enrichment-Tainted
Indicator of Compromise
32
None
0
None
0
13.C.1Empire: 'reg query' via PowerShell to enumerate a specific Registry keyTelemetry showing process tree with reg.exe and command-line arguments
Enrichment of reg.exe event with correct ATT&CK Technique (Query Registry)
Telemetry
Enrichment
25
Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Telemetry from process tree showing reg.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
OverWatch General Behavior alert indicating reg query was suspicious (tainted by previous powershell.exe detection by orange line indicating medium severity)
OverWatch General Behavior alert indicating reg query was suspicious
Email excerpt from the OverWatch team indicating reg query was part of additional malicious discovery activity (General Behavior)
Telemetry-Tainted
General Behavior-Delayed-Tainted
General Behavior-Delayed
58
Telemetry showing reg.exe with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Delayed-Tainted
16
Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance
Telemetry showing powershell.exe executing reg.exe with command-line arguments
Telemetry
Enrichment
25
Excerpt from the Managed Defense Report indicating reg.exe was a reconnaissance command used (General Behavior)
Enrichment of reg.exe with Reg Execution alert (tagged with ATT&CK Technique T1018 - Query Registry, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that reg.exe utility queried the Registry
Telemetry showed powershell.exe executing reg.exe (tainted by parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution of reg.exe and command-line arguments
Process tree view of suspicious sequence of exploration activities alert showing tainted relationship to reg.exe
Telemetry-Tainted
7
Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (Query Registry)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution of reg.exe and command-line argumentsTelemetry
10
Telemetry showing execution of reg.exe and command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
2.H.1Cobalt Strike: 'reg query' via cmd to enumerate a specific Registry keyTelemetry from process tree showing reg.exe with command-line arguments
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
Telemetry
Enrichment
25
Telemetry showing reg.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (reg query not specifically shown)
Telemetry showing reg with command-line arguments
Email excerpt from the OverWatch team indicating reg query was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing cmd.exe executing reg with command-line arguments
Telemetry within a process tree showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)
Telemetry-Tainted
7
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing reg.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Enrichment of reg.exe indicating that a sensitive registry key was accessed, possibly as part of reconnaissance
Telemetry showing reg.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running reg) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
General Behavior alert for rundll32.exe launching cmd.exe (executing reg)
Enrichment
General Behavior
Telemetry
General Behavior
85
Excerpt from the Managed Defense Report indicating the attacker queried a registry key that contains system policy configurations (Specific Behavior)
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about reg
Enrichment
Specific Behavior-Delayed
72
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery).
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility
Process tree within trace detection containing cmd.exe executing the reg.exe (tainted by a parent alert on Resume Viewer.exe)
Telemetry-Tainted
Enrichment
Enrichment
37
Process tree view of General Behavior alert on suspicious sequence of discovery techniques (showing tainted reg.exe query command)
Telemetry showing execution sequence for reg.exe with command-line arguments
Telemetry-Tainted
7
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
22
Telemetry showing reg.exe with command-line argumentsTelemetry
10
Telemetry showing reg.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry keyEnrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
Telemetry from process tree showing reg.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert)Telemetry-Tainted
7
Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)Telemetry-Tainted
7
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enriched event tree showing enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Event tree view showing tainted powershell.exe with reg.exe child process
Telemetry-Tainted
Enrichment-Delayed-Tainted
16
Telemetry showing reg.exe with command-line arguments
Enrichment of reg.exe indicating that a sensitive registry key was accessed for potential reconnaissance
General Behavior alert showing that a spawned process (reg) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry
Enrichment
General Behavior
55
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)Enrichment
15
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the reg.exe utility queried the Registry
Telemetry-Tainted
Enrichment
22
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
Telemetry showing reg.exe executing with command-line arguments
Telemetry-Tainted
7
Telemetry showing powershell.exe executing reg with command-line arguments to check if terminal services were enabled. (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments with a related ATT&CK Technique (System Service Discovery).
Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing reg.exe executionTelemetry
10
Threat story graph showing telemetry of reg.exe executing (tainted by prior lateral movement alert by Group ID)Telemetry-Tainted
7
6.A.1Cobalt Strike: 'reg query' via cmd to remotely enumerate a specific Registry key on Conficker (10.0.0.5)Telemetry from process tree showing reg.exe with command-line arguments
Enrichment of reg.exe with correct ATT&CK Technique (T1012 - Query Registry)
Telemetry
Enrichment
25
Telemetry showing PIPEs created (tainted by the parent \"Powershell process created\" alert)
Telemetry showing reg.exe with command-line arguments (tainted by the parent \"Powershell process created\" alert)
Telemetry-Tainted
7
Telemetry showing reg with command-line arguments
OverWatch General Behavior alert identifying reg query as suspicious as well as reg.exe process (tainted by previous detection by orange line indicating medium severity)
Telemetry-Tainted
General Behavior-Delayed-Tainted
31
Telemetry showing reg.exe executing with command-line arguments (tainted by a parent Injected Shellcode alert)Telemetry-Tainted
7
Telemetry showing reg with command-line arguments
Event tree view of telemetry showing reg with command-line arguments (tainted by parent Process Injection alert)
Telemetry-Tainted
7
Enrichment of reg.exe identifying that a sensitive Registry key was accessed which could be used for recon
Telemetry showing reg.exe with command-line arguments
Enrichment
Telemetry
25
Enrichment of reg.exe with Reg Execution alert (tagged with correct ATT&CK Technique, T1012 - Query Registry, and Tactic, Discovery)
File Write To Named Pipe alert for write to remote named pipe from reg.exe
Additional details on named pipe alert
Excerpt from the Managed Defense Report with additional details about reg query
Excerpt from Managed Defense Report of the reg command executing a remote registry query (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing cmd.exe executing reg.exe with command-line arguments (tainted by a trace detection on cmd.exe)
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (Query Registry) and a suspicious indicator that the Registry was queried via execution of the reg.exe utility
General Behavior alert indicating that reg.exe command-line arguments contains signs of malicious usage
Telemetry-Tainted
Enrichment
General Behavior-Delayed
49
Process tree view of suspicious process injection alert on lsass.exe showing tainted relationship to reg.exe (inner failure message in screenshot not relevant to tested functionality)
Telemetry showing execution sequence for reg.exe with command-line arguments
Telemetry-Tainted
7
Enrichment of the execution of reg.exe as querying a remote key (tainted by a parent process injection alert on cmd.exe)
Enrichment of reg.exe executing with the correct ATT&CK Technique (Query Registry)
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by a parent process injection alert on cmd.exe)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing reg.exe with command-line argumentsTelemetry
10
Telemetry showing cmd.exe executing reg with command-line arguments (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Command-Line Interface

Execution

(T1059)
2.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.A.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.D.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.D.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.E.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.E.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.F.1Empire: Built-in runas module executed to launch malicious VBScript (autoupdate.vbs) as user Kmitnick Telemetry showing process tree with cmd.exe and initial powershell.exe running as user Bob
Enrichment of cmd.exe event with correct ATT&CK Technique (T1059 - Command-Line Interface)
Telemetry showing process tree with cmd.exe and final powershell.exe running as user Kmitnick
Telemetry
Enrichment
25
Telemetry showing wscript.exe execute autoupate.vbs and resulting powershell.exe (tainted by the parent \"Powershell executed remote commands\" alert)
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)
Telemetry showing svchost.exe creating cmd.exe and executing autoupdate.vbs as user Kmitnick
Telemetry-Tainted
7
Telemetry showing wscript.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)
Telemetry showing cmd.exe launching autoupdate.vbs as user Kmitnick (tainted by previous detection by red line indicating high severity)
Telemetry-Tainted
7
Parent alert on Malicious PowerShell Command (Invoke-RunAs)
Telemetry showing cmd.exe executing autoupdate.vbs though wscript.exe (tainted by a parent PowerShell alert)
Telemetry-Tainted
7
Telemetry showing cmd.exe executed as user Kmitnick (tainted by parent PowerShell alert)
Enriched event tree showing enrichment of autoupdate.vbs execution with related ATT&CK Technique (T1064 - Scripting) and Tactic (Execution) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Enrichment showing cmd launching PowerShell via wscript.exe running autoupdate.vbs (tainted by parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
28
General Behavior alert was generated showing that a spawned process (cmd.exe) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing cmd.exe executing autoupdate.vbs through wscript.exe, and the associated user context change between user Bob and user Kmitnick
Telemetry
General Behavior
40
Enrichment of cmd.exe spawning wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)
Telemetry showing cmd.exe executing autoupdate.vbs
Enrichment
Telemetry
25
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick
Enrichment of wscript.exe executing autoupdate.vbs with the correct ATT&CK Tactic (Execution) and Technique (Command Line Interface)
Telemetry
Enrichment
25
Telemetry showing cmd.exe executing autoupdate.vbs as user Kmitnick (tainted by parent PowerShell alerts)
Parent alert for PowerShell script with suspicious content tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Parent alert for malicious PowerShell cmdlet tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Parent alert for PowerShell with suspicious command-line tainting powershell.exe (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
7
Indicator of Compromise Alert identifying PowerShell Empire using the Runas functionality
Enrichment of wscript.exe executing autoupdate.vbs with a related ATT&CK Technique (Scripting).
Telemetry showing cmd.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
Indicator of Compromise
42
Telemetry showing cmd.exe and executing autoupdate.vbs as user KmitnickTelemetry
10
Telemetry showing cmd.exe launching autoupdate.vbs (tainted by relationship to threat story)Telemetry-Tainted
7
2.F.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.F.3None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.C.2 None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.G.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.G.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.F.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
7.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
8.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
8.A.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.H.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
4.A.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
6.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
4.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
4.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
4.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
System Service Discovery

Discovery

(T1007)
12.D.1Empire: 'net start' via PowerShellTelemetry from process tree showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by parent Script File Created alert)Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating net start was part of basic reconnaissance activity (General Behavior)
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Services Discovery) and Technique (Discovery)
Process tree showing alerted net.exe with correct ATT&CK Technique (System Service Discovery) (tainted by a parent PowerShell alert)
General Behavior-Tainted
Telemetry
37
Telemetry showing net.exe with command-line arguments
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Telemetry-Tainted
Enrichment-Tainted-Delayed
16
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
Telemetry
General Behavior
40
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment
General Behavior-Delayed
42
General Behavior alert was generated for net or sc command executed through PowerShell, tagged with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery)
Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows services were manipulated via sc.exe/net.exe
Telemetry-Tainted
Enrichment
General Behavior
52
Process tree view of \"Suspicious sequence of discovery activities\" alert context with net.exe command-line arguments
Telemetry showing execution sequence of powershell.exe executing net.exe with command-line arguments
General Behavior alert description for \"Suspicious sequence of discovery activities\"
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing powershell.exe executing net.exe with command-line arguments (tainted by a parent alert on wscript.exe)
General Behavior alert for net.exe executing as a enumeration command called by a commonly abused causality group owner (CGO, wscript.exe) (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing as the execution of an enumeration command (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Tainted
46
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting net.exe
Telemetry-Tainted
7
17.A.1Empire: 'reg query' via PowerShell to enumerate a specific Registry key associated with terminal servicesTelemetry from process tree showing reg.exe with command-line argumentsTelemetry
10
Telemetry showing powershell.exe executing reg.exe (tainted by the parent \"New Windows service created\" alert)Telemetry-Tainted
7
Telemetry from process tree view showing reg.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)Telemetry-Tainted
7
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Telemetry from event tree showing reg.exe
Event tree view showing tainted powershell.exe with reg.exe child process
Telemetry-Tainted
7
Telemetry showing reg.exe with command-line argumentsTelemetry
10
Telemetry showing reg.exe executing with command-line arguments (tainted by parent Reg Execution alert)Telemetry-Tainted
7
Enrichment of reg.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Registry was queried for remote services RDP
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Enrichment of powershell.exe that executed reg.exe with the ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that PowerShell queried terminal services Registry
Telemetry-Tainted
Enrichment
Enrichment
37
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
Telemetry showing reg.exe query for terminal server setting
Telemetry-Tainted
7
Telemetry showing powershell.exe executing reg with command-line arguments (tainted by a parent alert on cmd.exe)
Enrichment of reg.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery).
Enrichment of reg.exe executing with command-line arguments as the terminal server key queried by the reg utility (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing reg.exe query for terminal server settingTelemetry
10
Threat story graph showing telemetry of reg.exe with query for terminal server setting (tainted by prior lateral movement alert by Group ID)Telemetry-Tainted
7
16.J.1Empire: 'sc qc' via PowerShell to remotely enumerate a specific service on Creeper (10.0.0.4)Telemetry from process tree showing sc.exe execution to query the AdobeUpdater service on Creeper
Enrichment of sc.exe executing query services with correct ATT&CK Technique (System Service Discovery)
Telemetry
Enrichment
25
Enrichment showing powershell.exe executing sc.exe query AdobeUpdater service on Creeper (enriched with condition SC QC Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert)Enrichment-Tainted-Configuration Change
9
Email excerpt sent by OverWatch team indicating they observed Bob querying for a service (Specific Behavior)
Telemetry showing sc.exe execution to query the AdobeUpdater service on Creeper process tree view (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Delayed-Tainted
16
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing sc.exe with command-line arguments
Telemetry
General Behavior
40
Additional details on enrichment of sc.exe with SC Execution alert
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Enrichment
15
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that the configuration of a system service was queried.
Telemetry-Tainted
Enrichment
22
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry from CodeRed showing execution sequence of sc.exe service query for AdobeUpdater on Creeper
Telemetry-Tainted
7
Enrichment of powershell.exe executing sc.exe as enumeration of services via the command line (tainted by a parent alert on wscript.exe)
Telemetry showing powershell.exe executing sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
19
Telemetry showing execution of sc.exe to query the AdobeUpdater service on 10.0.0.4 (Creeper)Telemetry
10
Telemetry showing execution of sc.exe to query AdobeUpdater service on Creeper (tainted by relationship to threat story)Telemetry-Tainted
7
2.D.2Cobalt Strike: 'net start' via cmdEnrichment of net.exe with correct ATT&CK Technique (System Service Discovery)
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net start not specifically shown)
Telemetry showing net with command-line arguments
Telemetry-Tainted
7
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment-Tainted
Telemetry
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
General Behavior
Telemetry
General Behavior
70
Excerpt from the Managed Defense Report with additional details about net
Excerpt from the Managed Defense Report indicating net was used to enumerate current running services (Specific Behavior)
Enrichment of net.exe with Net Start Command Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments
Telemetry-Tainted
7
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment-Tainted
19
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.D.1Cobalt Strike: 'sc query' via cmdEnrichment of sc.exe with correct ATT&CK Technique (System Service Discovery)
Telemetry from process tree showing sc.exe with command-line arguments
Telemetry
Enrichment
25
Enrichment of sc.exe with condition SC Query Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (sc query not specifically shown)
Email excerpt from the OverWatch team indicating sc query was a reconnaissance command (General Behavior)
Telemetry showing sc with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing cmd.exe executing sc with command-line arguments
Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) (tainted by a parent Injected Shellcode alert)
Enrichment-Tainted
Telemetry
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing sc.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
General Behavior alert showing that a spawned process (cmd.exe running sc) has been tagged for monitoring because its parent process has a detection (rundll32.exe)Telemetry
General Behavior
40
Enrichment of sc.exe with SC Execution alert (tagged with correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating sc was used to enumerate current running services (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about sc
Additional details from enrichment of sc.exe
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing the sc.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of sc.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that a Windows service was manipulated via sc.exe/net.exe tool
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing sc.exe
Telemetry showing execution sequence for sc.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Telemetry
General Behavior-Delayed
37
Telemetry showing cmd.exe executing sc with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)Telemetry-Tainted
7
Telemetry showing sc.exe with command-line argumentsTelemetry
10
Telemetry showing sc.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
12.E.1.8Empire: WinEnum module included enumeration of servicesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Services function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
Telemetry of execution sequence showing Get-Service invocationTelemetry
10
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)Enrichment
15
None
0
None
0
16.H.1Empire: 'sc query' via PowerShell to remotely enumerate services on Creeper (10.0.0.4)Enrichment of sc.exe executing to query services with correct ATT&CK Technique (System Service Discovery)
Telemetry showing module loads from execution of sc.exe to remotely query services on Creeper (10.0.0.4)
Telemetry from process tree showing sc.exe execution for the service query
Telemetry
Enrichment
25
Enrichment showing powershell.exe executing sc.exe to query services on Creeper (enriched with condition SC Query Reconnaissance Command, tainted by the parent \"Powershell executed remote commands\" alert)Enrichment-Tainted-Configuration Change
9
Telemetry from process tree showing sc.exe execution to query services on Creeper (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed Bob querying for a service on Creeper (Specific Behavior)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry of sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enrichment of sc.exe execution to query services on Creeper with correct ATT&CK Technique (T1007 - System Service Discovery) and Tactic (Discovery) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Telemetry showing sc.exe execution to query services on Creeper
Telemetry-Tainted
Enrichment-Delayed-Tainted
16
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing sc.exe with command-line arguments
Telemetry
General Behavior
40
Additional details on enrichment of sc.exe with SC Execution alert
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with the correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Enrichment
15
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
Telemetry-Tainted
Enrichment
22
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry from CodeRed showing execution sequence of sc.exe service query to Creeper
Telemetry-Tainted
7
Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (System Service Discovery)
General Behavior alert for the sc utility be used to perform actions of remote services (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
General Behavior-Tainted
Enrichment
49
Telemetry showing execution of sc.exe to query services on 10.0.0.4 (Creeper)Telemetry
10
Telemetry showing execution of sc.exe to query services on Creeper (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
File Permissions Modification

Defense Evasion

(T1222)
17.B.1Empire: 'takeown' via PowerShell to obtain ownership of magnify.exeEnrichment of takeown.exe execution with tag \"Permission modifications\"
Telemetry from process tree showing takeown.exe with command-line arguments
Telemetry
Enrichment-Configuration Change
22
Telemetry showing powershell.exe executing takeown.exe (tainted by the parent \"New Windows service created\" alert)Telemetry-Tainted
7
Telemetry from process tree view showing execution of takeown.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed takeown.exe executed to bypass Windows logon (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
General Behavior alert for takeown.exe performing activity related to swapping an accessibility features binary (tainted by a parent PowerShell alert)General Behavior-Tainted
Telemetry
37
Telemetry from event tree showing takeown.exe (tainted by parent alerts on powershell.exe)Telemetry-Tainted
7
Telemetry showing takeown.exe with command-line arguments
Specific Behavior alert for takeown.exe changing the ownership of an accessibility feature executable
General Behavior alert showing that a spawned process (takeown) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
Specific Behavior
General Behavior
100
Enrichment of takeown.exe with Takeown Execution alertEnrichment
15
Enrichment of takeown.exe with a suspicious indicator that the takeown command was executed to obtain ownership of a file or directory
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Telemetry-Tainted
Enrichment
22
Telemetry showing takeown.exe execution with magnify.exe in command-line arguments
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to takeown.exe
Telemetry-Tainted
7
Enrichment of takeown.exe executing with command-line arguments as changing permission or ownership of a file or folder (tainted by a parent alert on cmd.exe)
Enrichment of takeown.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
Telemetry showing powershell.exe executing takeown with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing takeown.exe execution with magnify.exe in command-line argumentsTelemetry
10
Enrichment showing takeown.exe execution (tainted by prior lateral movement alert by Group ID)Enrichment-Tainted
12
17.B.2Empire: 'icacls' via PowerShell to modify the DACL for magnify.exeEnrichment of icacls.exe execution with tag \"Permission modifications\"
Telemetry from process tree showing icacls.exe with command-line arguments
Telemetry
Enrichment-Configuration Change
22
Telemetry showing powershell.exe executing icacls.exe (tainted by the parent \"New Windows service created\" alert)Telemetry-Tainted
7
Telemetry from process tree view showing execution of icacls.exe (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed icacls.exe executed to bypass Windows logon (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing icacls.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Telemetry from event tree showing icacls.exe (tainted by parent alerts on powershell.exe)Telemetry-Tainted
7
Telemetry showing icacls.exe with command-line arguments
Specific Behavior alert for icacls.exe changing the permissions of an accessibility feature executable
General Behavior alert showing that a spawned process (icacls) has been tagged for monitoring because its parent process has a detection (powershell.exe).
Telemetry
Specific Behavior
General Behavior
100
Enrichment of icacls.exe with Icacls Execution alertEnrichment
15
Enrichment of icacls.exe with a suspicious indicator that full access permissions were given to certain users
Telemetry of reg.exe executing with command-line arguments (tainted by a parent PowerShell alert)
Telemetry-Tainted
Enrichment
22
Telemetry showing icacls.exe execution with magnify.exe in command-line arguments
Process tree view of suspicious PowerShell command-line alert showing tainted relationship to reg.exe query
Telemetry-Tainted
7
Telemetry showing powershell.exe executing icacls with command-line arguments (tainted by a parent alert on cmd.exe)
Enrichment of icacls.exe executing with command-line arguments with the correct ATT&CK Technique (File Permissions Modification).
Telemetry-Tainted
Enrichment
22
Telemetry showing icacls.exe execution with magnify.exe in command-line argumentsTelemetry
10
Telemetry showing icacls.exe execution (tainted by prior lateral movement alert by Group ID)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Masquerading

Defense Evasion

(T1036)
19.A.1Empire: File dropped to disk is a renamed copy of the WinRAR binaryTelemetry showing filemod creation of recycler.exe
Binary metadata showing recycler.exe is WinRAR.exe based on digital signature and file version information
Telemetry
10
None
0
Telemetry showing SHA256 hash of recycler.exeTelemetry
10
Telemetry showing recycler.exe identified as WinRAR via file metadata (tainted by a parent PowerShell alert)Telemetry-Tainted
7
None
0
None
0
Parent alert for PowerShell File Write showing tainting of recycler.exe telemetry
Excerpt from the Managed Defense Report of the attacker placing the WinRAR utility on the system as recycler.exe (Specific Behavior)
Telemetry showing MD5 hash of recycler.exe
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing the MD5/SHA256 hash value of recycler.exeTelemetry
10
Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH
Binary reputation and metadata for recycler.exe showing WinRAR information
Telemetry
10
Telemetry showing file create/write and hash values of recycler.exe (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
Telemetry showing file write of recycler.exe with file hashes
Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID
Telemetry-Tainted
7
16.I.1Empire: 'sc description' via PowerShell to remotely disguise a service on Creeper (10.0.0.4)Telemetry from process tree showing sc.exe execution setting the AdobeUpdater service description
Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service
Telemetry
10
Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert)Telemetry-Tainted
7
Telemetry from process tree showing sc.exe execution with the AdobeUpdater service description (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description
Telemetry-Tainted
7
Telemetry showing sc.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Telemetry of sc.exe executions to create and set the description of a new service on Creeper (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts)Telemetry-Tainted
7
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing sc.exe with command-line arguments
Telemetry
General Behavior
40
Additional details on enrichment of sc.exe with SC Execution alert
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with related correct ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Enrichment
15
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)Telemetry-Tainted
7
Telemetry showing execution sequence of sc.exe AdobeUpdater remote service creation
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
7
Telemetry showed execution of sc.exe with command-line arguments (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing execution of sc.exe to create the AdobeUpdater service and set its descriptionTelemetry
10
Telemetry showing execution of sc.exe to create the AdobeUpdater service and set the description (partially shown one line above; both tainted by prior threat story)Telemetry-Tainted
7
19.B.1Empire: Executed binary (recycler.exe) is a renamed copy of the WinRAR binaryTelemetry showing recycler.exe and command-line arguments with arguments indicating it is WinRAR
Specific Behavior alert for recycler.exe masquerading as a renamed WinRAR process
Telemetry
Specific Behavior
70
Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)
Enrichment-Tainted-Configuration Change
Telemetry-Tainted
16
Specific Behavior alert showing recycler.exe was identified as WinRAR (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
Additional alert details showing recycler.exe was signed by win.rar GmbH
Specific Behavior-Tainted
Telemetry
Specific Behavior-Delayed
124
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line arguments and creation of old.rar output (tainted by Windows Script Executing PowerShell alert)
Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
64
Telemetry showing recycler.exe metadata, which identified it as WinRARTelemetry
10
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with related ATT&CK Techniques, T1022 - Data Encrypted and T1002 - Data Compressed)
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for Execution from Suspicious Directory
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
General Behavior
Enrichment
Enrichment
General Behavior
Enrichment
Specific Behavior-Delayed
162
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression indicating it is WinRAR
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Telemetry-Tainted
7
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)
Enrichment of recylcer.exe executing with command-line arguments with a related ATT&CK Technique (Masquerading)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution of recycler.exe with command-line arguments indicating it is WinRARTelemetry
10
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
Enrichment showing the execution of recycler.exe with process name identified as \"Command line RAR\"
Enrichment-Tainted
12
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Service Execution

Execution

(T1035)
16.L.1Empire: 'sc start' via PowerShell to remotely launch a specific service on Creeper (10.0.0.4)Telemetry from process tree showing sc.exe execution to start the AdobeUpdater service on CreeperTelemetry
10
Telemetry showing powershell.exe executing sc.exe start AdobeUpdater service on Creeper (tainted by the parent \"Powershell executed remote commands\" alert)
Telemetry showing AdobeUpdater service starting on Creeper (tainted by the parent \"\"New Windows service created\"\" alert)
Telemetry-Tainted
7
Email excerpt sent by OverWatch team indicating they observed execution of update.vbs following the AdobeUpdater service start (Specific Behavior)
Telemetry showing sc start in the process tree view (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing cmd.exe executing update.vbs
Telemetry showing sc.exe executing the service (tainted by a parent PowerShell alert)
Telemetry-Tainted
7
Specific Behavior alert \"Service Command Lateral Movement\" for the start of AdobeUpdater service on Creeper tagged with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution)
Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1035 - Service Execution) and Tactic (Execution) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Telemetry-Tainted
Enrichment-Delayed-Tainted
Specific Behavior
76
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing sc.exe with command-line arguments
Specific Behavior alert for sc.exe used with parameters typical for lateral movement
Telemetry
Specific Behavior
General Behavior
100
Excerpt from the Managed Defense Report showing sc.exe starting the adobeupdater service (Specific Behavior)
Enrichment of sc.exe with an alert for SC Execution (tagged with related ATT&CK Technique, T1007 - System Service Discovery, and Tactic, Discovery)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
Telemetry-Tainted
Enrichment
22
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing service execution on Creeper and new Empire connection to www.freegoogleadsenseinfo.com (C2 domain) (C2 alert rule for BORON domain was added by the vendor earlier in Step 11)
Specific Behavior alert showing successful remote AdobeUpdater service execution attempt from CodeRed to Creeper
Telemetry from CodeRed showing execution sequence of sc.exe service start for AdobeUpdater on Creeper
Telemetry-Tainted
Specific Behavior
67
Telemetry showing powershell.exe executing sc with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of sc.exe executing with command-line arguments with the correct ATT&CK Technique (Service Execution)
Telemetry showing cmd.exe executing update.vbs on 10.0.0.4 (Creeper)
Telemetry-Tainted
Enrichment
22
Telemetry showing the execution of update.vbs on 10.0.0.4 (Creeper)
Telemetry showing the execution of sc.exe to start the AdobeUpdater service on 10.0.0.4 (Creeper)
Telemetry
10
Telemetry showing execution of sc.exe to start the AdobeUpdater service on Creeper (tainted by relationship to threat story)
Lateral movement alert generated by the remote service start on Creeper
Telemetry-Tainted
General Behavior
37
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
System Owner/User Discovery

Discovery

(T1033)
2.B.1Cobalt Strike: 'echo' via cmd to enumerate specific environment variablesTelemetry from process tree showing echo with command-line argumentsTelemetry
10
Telemetry showing echo with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (echo not specifically shown)
Email excerpt from the OverWatch team indicating echo was a reconnaissance command (General Behavior)
Telemetry showing echo with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent Injected Shellcode alert)Telemetry-Tainted
7
Telemetry showing echo with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
A General Behavior alert showing that a spawned process (cmd.exe running echo) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Telemetry showing cmd.exe executing the echo command
General Behavior alert for rundll32.exe launching cmd.exe (executing the echo command)
General Behavior
Telemetry
General Behavior
70
Excerpt from the Managed Defense Report with additional details about echo
Excerpt from the Managed Defense Report indicating echo was used to enumerate the current username (Specific Behavior)
Telemetry showing echo with command-line arguments
Telemetry
Specific Behavior-Delayed
67
Process tree within trace detection containing cmd.exe executing the echo command (tainted by a parent alert on Resume Viewer.exe)
Telemetry showing cmd.exe executing the echo command
Enrichment of echo command with a correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) and a suspicious indicator that the command tried to identify the user on the system
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for echo with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing echo command
Telemetry-Tainted
7
Telemetry showing cmd.exe executing echo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing echo with the correct ATT&CK Technique (System Owner / User Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing echo with command-line argumentsTelemetry
10
Telemetry showing echo with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
20.B.1Executed 'whoami' via cmd persistence mechanism through RDP connection made to Creeper (10.0.0.4)Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)
Telemetry from process tree with telemetry showing whoami.exe execution
Telemetry
Enrichment
25
Telemetry showing magnify.exe executing whoami.exe (tainted by the parent POS Interactive Login Event alert)Telemetry-Tainted
7
Telemetry from process tree showing magnify.exe child process whoami.exe (tainted by pink line indicating critical severity)Telemetry-Tainted
7
Specific Behavior alert for whoami.exe execution with the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent Accessibility Features alert)Specific Behavior-Tainted
Telemetry
67
Telemetry from event tree showing execution of whoami.exe (tainted by parent alert on magnify.exe)
Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry)
Telemetry-Tainted
Enrichment-Delayed-Tainted
16
Enrichment of whoami.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (magnify.exe)
Telemetry showing the execution of whoami
Telemetry
Enrichment
General Behavior
55
Telemetry showing whoami.exe executing as a child process of magnify.exe (tainted by parent Accessibility Features Child Process alert)
Enrichment of whoami.exe with Whoami Execution alert (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing magnify.exe (original name identified as cmd.exe) executing whoami.exe (tainted by a trace detection on magnify.exe)
Specific Behavior alert for the whoami command was executed through a masqueraded tool (magnify.exe)
Telemetry-Tainted
Specific Behavior
67
Execution sequence showing whoami.exe executing from magnify.exe
Process tree view of sticky keys binary hijack alert showing tainted relationship to whoami.exe
Telemetry-Tainted
7
Telemetry showing magnify.exe executing whoami.exe
Enrichment of whoami.exe executing as an enumeration command
Telemetry
Enrichment
25
Telemetry showing whoami.exe executionTelemetry
10
Enrichment of whoami command (displays logged on user information)Enrichment
15
12.B.1Empire: 'whoami /all /fo list' via PowerShellTelemetry from process tree showing whoami.exe with command-line arguments
Enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery)
Telemetry
Enrichment
25
Enrichment of whoami.exe with condition Whoami Reconnaissance Command (tainted by parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Email excerpt from the OverWatch team indicating whoami was part of basic reconnaissance activity (General Behavior)
OverWatch General Behavior alert and telemetry indicating whoami.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)
General Behavior-Delayed-Tainted
Telemetry
General Behavior-Delayed
61
Enrichment of whoami.exe executing as Reconnaissance and the correct ATT&CK Tactic (Discovery) and Technique (System Owner/User Discovery) (tainted by a parent PowerShell alert)
Enrichment of whoami.exe executing with labels for Reconnaissance and Accounts discovery
Enrichment-Tainted
Telemetry
22
Telemetry showing whoami.exe with command-line arguments
Enriched event tree showing enrichment of whoami.exe with correct ATT&CK Technique (T1033 - System Owner/User Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Telemetry-Tainted
Enrichment-Tainted-Delayed
16
General Behavior alert showing that a spawned process (whoami) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing whoami.exe with command-line arguments
Enrichment of powershell.exe executing whoami.exe indicating a sign of reconnaissance before privilege escalation
Enrichment
Telemetry
General Behavior
55
Enrichment of whoami.exe with Whoami Execution (tagged with correct ATT&CK Technique, T1033 - System Owner/User Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating whoami.exe was a reconnaissance command used (General Behavior)
Enrichment
General Behavior-Delayed
42
Telemetry showing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of whoami.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Owner / User Discovery) and a suspicious indicator that the name of the logged user was discovered
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence of powershell.exe executing whoami.exe with command-line arguments
Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
7
Telemetry showing powershell.exe executing whoami.exe with command-line arguments (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing whoami.exe with command-line argumentsTelemetry
10
Telemetry showing whoami.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Continued threat story showing initial compromise alert and powershell.exe tainting whoami.exe
Telemetry-Tainted
7
12.E.1.1Empire: WinEnum module included enumeration of user informationNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Get-UserInfo function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire UserInfoIndicator of Compromise
20
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Standard Cryptographic Protocol

Command and Control

(T1032)
11.B.1Empire: Encrypted C2 channel established using HTTPSTelemetry showing modloads and certificate checkTelemetry
10
Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (tainted by a parent PowerShell alert)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Telemetry-Tainted
7
Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)
Telemetry showing connection to letsencrypt.org
Telemetry-Tainted
7
Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S)Specific Behavior
60
Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)General Behavior-Delayed
27
Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection)
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
None
0
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel
Telemetry within alert showing decoded command-line arguments containing HTTPS
Telemetry-Tainted
7
None
0
Telemetry showing network connections, including over port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Password Policy Discovery

Discovery

(T1201)
12.E.1.3Empire: WinEnum module included enumeration of password policy informationNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Password Last Changed function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
System Network Configuration Discovery

Discovery

(T1016)
12.A.2Empire: 'ipconfig /all' via PowerShellTelemetry from process tree showing ipconfig.exe with command-line arguments
Enrichment of ipconfig.exe with correct ATT&CK Technique (T1049 - System Network Configuration Discovery)
Telemetry
Enrichment
25
Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Email excerpt from the OverWatch team indicating ipconfig was part of basic reconnaissance activity (General Behavior)
Telemetry from process tree showing ipconfig.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of ipconfig.exe executing with correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent PowerShell alert)Enrichment-Tainted
Telemetry
22
Telemetry showing ipconfig.exe with command-line arguments
Event tree view of telemetry showing ipconfig.exe with command-line arguments (tainted by parent PowerShell alerts)
Telemetry-Tainted
7
General Behavior alert showing that a spawned process (ipconfig) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Enrichment of powershell.exe executing ipconfig.exe with a tag identifying the command as enumeration
Telemetry showing ipconfig.exe with command line arguments
Enrichment
Telemetry
General Behavior
55
Excerpt from the Managed Defense Report indicating ipconfig.exe was a reconnaissance command used (General Behavior)
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery)
Telemetry-Tainted
Enrichment
22
Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process
Telemetry showing execution sequence of powershell.exe executing ipconfig.exe with command-line arguments
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
7
Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Telemetry showing powershell.exe executing ipconfig.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing ipconfig.exe with command-line argumentsTelemetry
10
Telemetry showing ipconfig.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting ipconfig.exe
Telemetry-Tainted
7
4.B.1Cobalt Strike: 'netsh advfirewall show allprofiles' via cmdTelemetry from process tree showing netsh.exe with command-line arguments
Enrichment of netsh.exe with related ATT&CK technique (T1063 - Security Software Discovery) and tag for Potential Windows Firewall Rule Recon
Telemetry
Enrichment
25
Telemetry showing netsh.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)Telemetry-Tainted
7
OverWatch General Behavior alert indicating netsh execution by cmd.exe was suspicious
Email excerpt from the OverWatch team indicating netsh was a reconnaissance command (General Behavior)
General Behavior-Delayed
Telemetry
General Behavior-Delayed
64
Enrichment of netsh.exe executing with correct ATT&CK Tactic (Discovery) and related Technique (Security Software Discovery) (tainted by a parent Injected Shellcode alert)Enrichment-Tainted
Telemetry
22
Telemetry from event tree showing netsh with command-line argumentsTelemetry
10
Telemetry showing netsh.exe with command-line argumentsTelemetry
10
Enrichment of netsh.exe with Netsh Execution alert (tagged with related ATT&CK Technique, T1063 - Security Software Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about netsh
Excerpt from the Managed Defense Report indicating netsh was used to obtain network configuration and the configuration profile of the Windows Firewall (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Enrichment of netsh.exe with the correct Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the netsh utility manipulated firewall rules
Process tree within trace detection showing cmd.exe executing netsh.exe (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for netsh.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netsh.exe command not shown)
Telemetry-Tainted
7
Enrichment of netsh.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Telemetry showing cmd.exe executing netsh with command-line arguments
Telemetry
Enrichment
25
Telemetry showing netsh.exe with command-line argumentsTelemetry
10
Telemetry showing netsh.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
12.A.1Empire: 'route print' via PowerShellTelemetry from process tree showing route.exe with command-line argumentsTelemetry
10
Enrichment of route.exe with conditions Reconnaissance Tool and Route Spawned with Reconnaissance (tainted by the parent Script File Created alert)Enrichment-Tainted
12
Email excerpt from the OverWatch team indicating route print was part of basic reconnaissance activity (General Behavior)
Telemetry from process tree showing route.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing route.exe executing with command-line arguments (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Telemetry showing route.exe with command-line arguments
Event tree view of telemetry showing route.exe with command-line arguments (tainted by parent PowerShell alerts)
Telemetry-Tainted
7
General Behavior alert showing that a spawned process (route) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Enrichment of route.exe indicating that it could be used to print the routing table as part of reconnaissance
Telemetry showing route.exe with command-line arguments
Enrichment
Telemetry
General Behavior
55
Excerpt from the Managed Defense Report indicating route.exe was a reconnaissance command used (General Behavior)
Enrichment of route.exe with Route Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showing route.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of route.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that routing tables were viewed or manipulated
Telemetry-Tainted
Enrichment
22
Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process
Telemetry showing execution sequence of powershell.exe executing route.exe with command-line arguments
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
7
Telemetry showing powershell.exe executing route.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of route.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing route.exe with command-line argumentsTelemetry
10
Telemetry showing route.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Continued threat story showing initial compromise alert and powershell.exe tainting route.exe
Threat story showing partial tree of activity from the initial compromise alert
Telemetry-Tainted
7
2.A.2Cobalt Strike: 'arp -a' via cmdEnrichment of arp.exe with related ATT&CK Technique (T1018 - Remote System Discovery)
Telemetry from process tree showing arp.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing arp.exe with command-line arguments (tainted by the parent Script File Created alert) Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (arp not specifically shown)
Telemetry showing arp with command-line arguments
Email excerpt from the OverWatch team indicating arp was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing arp.exe executing within the process tree (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing arp with command-line arguments
Telemetry showing cmd.exe executing arp with command-line arguments
Telemetry-Tainted
7
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing arp.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Enrichment of arp.exe indicating its usage can be a sign of reconnaissance
General Behavior alert showing that a spawned process (cmd.exe running arp) has been tagged for monitoring because its parent process has a detection (cmd.exe)
Enrichment
General Behavior
45
Excerpt from the Managed Defense Report indicating arp.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Enrichment of arp.exe with Arp Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about arp.exe execution
Enrichment
Specific Behavior-Delayed
72
Telemetry showing cmd.exe executing arp.exe (tainted by a trace detection on Resume Viewer.exe)
Enrichment of arp.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the contents of the local ARP cache table was viewed
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing arp.exe
General Behavior alert on suspicious sequence of exploration activities
Telemetry showing execution sequence for arp.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Telemetry showing cmd.exe executing arp with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment the execution of arp.exe as possible reconnaissance (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of arp.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Enrichment of the execution of arp.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
34
Telemetry showing arp.exe with command-line argumentsTelemetry
10
Telemetry showing arp.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.A.1Cobalt Strike: 'ipconfig /all' via cmdTelemetry from process tree showing ipconfig.exe with command-line arguments
Enrichment of ipconfig.exe with correct ATT&CK Technique (T1016 - System Network Configuration Discovery)
Telemetry
Enrichment
25
Enrichment of ipconfig.exe with condition Ipconfig All Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (ipconfig not specifically shown)
Telemetry showing ipconfig with command-line arguments
Email excerpt from the OverWatch team indicating ipconfig was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of ipconfig.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing ipconfig with command-line arguments
Enrichment-Tainted
Telemetry
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Unusual Child Processes of RunDLL32 General Behavior alert caused by ipconfig.exe (tainted by parent Malicious File Detection)
Telemetry showing ipconfig.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior-Tainted
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
55
General Behavior alert for rundll32.exe launching cmd.exe (executing ipconfig)
General Behavior alert showing that a spawned process (cmd.exe running ipconfig) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Enrichment of ipconfig.exe with a tag identifying the command as enumeration
General Behavior
Enrichment
General Behavior
75
Excerpt from the Managed Defense Report with additional details about ipconfig.exe execution
Excerpt from the Managed Defense Report indicating ipconfig.exe was used to enumerate the network configuration of Nimda (Specific Behavior)
Enrichment of ipconfig.exe with Ipconfig Execution alert (tagged with correct ATT&CK Technique, T1016 - System Network Configuration Discovery, and Tactic, Discovery)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing cmd.exe executing ipconfig.exe (tainted by a trace detection on Resume Viewer.exe)
Enrichment of ipconfig.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Configuration Discovery) and a suspicious indicator that the ipconfig utility displayed configuration information
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on suspicious sequence of discovery techniques
General Behavior alert on suspicious sequence of discovery techniques
Telemetry showing execution sequence for ipconfig.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Enrichment of ipconfig.exe executing with the correct ATT&CK Technique (System Network Configuration Discovery)
Enrichment of the execution of ipconfig.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing cmd.exe executing ipconfig with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
General Behavior alert for a commonly abused process (cmd.exe) spawning out of rundll32.exe (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
General Behavior-Tainted
61
Telemetry showing ipconfig.exe with command-line argumentsTelemetry
10
Telemetry showing ipconfig.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
12.E.1.11Empire: WinEnum module included enumeration of network adaptersNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Network Adapters function (does not count as a detection due to manual process of pulling events)None
0
Enrichment of powershell.exe making a WMI query with a tag identifying the command as WMI enumerating adapters
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
Telemetry
Enrichment
25
None
0
None
0
Telemetry of execution sequence showing Get-NetInfo invocationTelemetry
10
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire NetInfoIndicator of Compromise
20
None
0
Additional telemetry showing powershell.exe WMI queries for network adapter and configuration information
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
User Execution

Execution

(T1204)
1.A.1Legitimate user Debbie clicked and executed malicious self-extracting archive (Resume Viewer.exe) on 10.0.1.6 (Nimda)Telemetry from process tree showing Resume Viewer.exe execution sequence
General Behavior alert showing execution of Resume Viewer.exe as a Newly Executed Application
Telemetry
General Behavior
40
Telemetry showing Resume Viewer.exe running (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Machine Learning General Behavior alert showing execution of Resume Viewer.exe and detection as maliciousGeneral Behavior
Telemetry
40
General Behavior alert for explorer.exe executing Resume Viewer.exe, identified as a known malicious file
General Behavior alert identifying Resume Viewer.exe as unknown malware
Telemetry showing Resume Viewer.exe running as a process (tainted by parent alert on explorer.exe)
General Behavior
General Behavior
Telemetry-Tainted
67
Event tree view showing Malicious File Detection General Behavior alert on Resume Viewer.exe execution
Malicious File Detection General Behavior alert on Resume Viewer.exe execution and surrounding telemetry
General Behavior
Telemetry-Tainted
37
Telemetry showing the execution of Resume Viewer.exeGeneral Behavior
Telemetry
40
Telemetry showing Resume Viewer.exe being executed by explorer.exe
General Behavior alert showing Resume Viewer.exe labeled as Malware (alert triggered after configuration change)
General Behavior-Configuration Change
Telemetry
37
Telemetry showing that Resume Viewer.exe was executed by Explorer.exe by user DebbieTelemetry
10
Exploit Guard audit of Resume Viewer.exe
Telemetry showing execution of pdfhelper.cmd and update.dat
Telemetry showing execution of decoy PDF by MicrosoftPdfReader.exe
Telemetry showing Resume Viewer.exe binary and process metadata
Telemetry showing Resume Viewer.exe binary reputation
Telemetry showing execution of Resume Viewer.exe from explorer.exe and dropping pdfhelper.cmd and autoupdate.bat
Telemetry showing write of pdfhelper.cmd
Telemetry showing write of autoupdate.bat
Telemetry
10
Telemetry showing Resume Viewer.exe running as a processTelemetry
10
Telemetry showing Resume Viewer.exe executionTelemetry
10
Telemetry from process tree showing execution of Resume Viewer.exe
General Behavior alert for execution of Resume Viewer.exe as a suspicious file
Telemetry
General Behavior
40
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Data from Network Shared Drive

collection

(T1039)
18.B.1Empire: 'copy' via PowerShell collected a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None
0
Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert)Telemetry-Tainted
7
None
0
None
0
None
0
Telemetry showing the copy of the .vsdx file from the network drive to the Recycle BinTelemetry
10
None
0
None
0
Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)None
0
Telemetry showing a file event for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) (tainted by a parent alert on wscript.exe)
Specific Behavior alert for a script engine reading files from network locations (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Specific Behavior-Tainted
64
None
0
Exported telemetry of threat story (taints event) showing .vsdx file copy from network shared drive on ConfickerTelemetry-Tainted
7
9.B.1Cobalt Strike: Built-in download capability executed to a collect file (Shockwave_rackb_diagram.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None
0
None
0
None
0
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)None
0
Telemetry showing .vsdx file creation, but no indication of network shared drive (does not count as a detection)None
0
None
0
None
0
None
0
None
0
Telemetry showing a file read event for the .vsdx file from the network shared driveTelemetry
10
None
0
Telemetry showing .vsdx file access from WormShare on the network shared driveTelemetry
10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Process Injection

Defense Evasion, Privilege Escalation

(T1055)
3.C.1Cobalt Strike: Built-in process injection capability executed to inject callback into cmd.exeTelemetry showing CreateRemoteThread API call used for thread injection into cmd.exe
Telemetry showing open handles and thread injection into cmd.exe
Specific Behavior alert mapped to correct ATT&CK Technique (T1055 - Process Injection)
Telemetry
Specific Behavior
70
Specific Behavior alert for DLL injection detection labeled with Process Hijacking and Privilege Escalation (tainted by the parent \"Powershell process created\" alert)Specific Behavior-Tainted
57
Telemetry showing process tree view of Process Injection Specific Behavior alert and OverWatch General Behavior alert tainted by parent detections (orange line indicates medium severity)
Specific Behavior Process Injection alert mapped to correct ATT&CK Technique (Process Injection) and Tactic (Defense Evasion) as well as OverWatch General Behavior alert identifying behavior as suspicious
Specific Behavior-Tainted
Telemetry
General Behavior-Delayed-Tainted
91
Specific Behavior alert for powershell.exe injecting into cmd.exe
Specific Behavior alert for PowerShell injection into cmd.exe mapped to ATT&CK Tactic (Defense Evasion) and Technique (Process Injection) (tainted by a parent PowerShell alert)
Specific Behavior-Tainted
57
Specific Behavior alert for process injection into cmd.exeSpecific Behavior
60
Specific Behavior alert for PowerShell opening a handle to a system process with access rights typical for a known PowerShell injection pattern, identified as a sign of code injectionSpecific Behavior
60
Continued excerpt from the Managed Defense Report showing the artifact evidence of a process injection from PowerShell.exe to cmd.exe
Excerpt from the Managed Defense Report identifying a process injection from PowerShell.exe to cmd.exe (Specific Behavior)
Specific Behavior-Delayed
57
Specific Behavior alert for a process injection from PowerShell into cmd.exe based on both connecting to a named pipe, tagged with the correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation)Specific Behavior
60
Telemetry showing process injection activity audited by Exploit Guard
Enrichment of powershell.exe injecting into cmd.exe
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe (subsequent powershell.exe is the injecting process)
Specific Behavior alert showing powershell.exe process injection
Enrichment-Tainted
Specific Behavior-Delayed
69
Specific Behavior alert for PowerShell injecting shellcode (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)Specific Behavior-Tainted
57
Telemetry showing powershell.exe creating a remote thread into cmd.exeTelemetry
10
Telemetry showing powershell.exe injecting into cmd.exe (Group ID tainted this event but was not shown in this view)Telemetry-Tainted
7
8.D.1Cobalt Strike: Screen capture capability involved process injection into explorer.exeTelemetry showing \"open handle\" crossproc on explorer.exe by the processTelemetry
10
Telemetry showing remote thread being created into explorer.exeTelemetry
10
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890)Telemetry
10
Specific Behavior alert for Malicious code injection to explorer.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
Specific Behavior alert for process injection explorer.exe rolled into chain of injections
Specific Behavior
60
Event tree showing process injection Specific Behavior alert (last alert in the view, ID 2561310) (tainted by parent Malicious File Detection and process injection alerts and labeled with the correct ATT&CK Technique, Process Injection, and Tactics, Defense Evasion and Execution)Specific Behavior-Tainted
57
None
0
None
0
Specific Behavior alert for code injection into explorer.exe, tagged with the correct ATT&CK Tactics (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
Specific Behavior alert for code injection into explorer.exe (tainted by a trace detection on cmd.exe)
Specific Behavior-Tainted
57
Enrichment of execution sequence showing cmd.exe injecting into explorer.exe (labeled \"Inject to process\")Enrichment
15
Enrichment of cmd.exe injecting into explorer.exe as code injection via CreateThreadEnrichment
15
Floating Code module generated from DLL injection showing introspection into the module's characteristics (does not count as a detection)None
0
Telemetry showing powershell.exe injecting into explorer.exe (Group ID tainted this event but was not shown in this view)Telemetry-Tainted
7
5.A.1Cobalt Strike: Credential dump capability involved process injection into lsassTelemetry showing cross process events, specifically a handle to open thread into lsass.exeTelemetry
10
General Behavior alert showing DDNA Scan for svchost.exe
General Behavior alert additional details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
General Behavior
30
Enrichment showing ReflectiveDllOpenLsass and ProcessHollowingDetected eventsEnrichment
15
Specific Behavior alert with correct ATT&CK Technique (Process Injection) and Tactics (Defense Evasion, Privilege Escalation)
Data within alert showing loaded powerkatz.dll as floating executable code
Specific Behavior
60
Telemetry showing process accesses into lsass.exeTelemetry
10
None
0
None
0
None
0
Alert on credential dump showing injecting svchost.exe process (process with syringe) that was used to access lsass.exe
Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)
Telemetry-Tainted
Specific Behavior-Delayed
64
A Specific Behavior alert for a suspicious handle being opened to lsass.exe, tagged with a related ATT&CK Technique (Credential Dumping)Specific Behavior
60
None
0
None
0
5.A.2Cobalt Strike: Hash dump capability involved process injection into lsass.exeSpecific Behavior alert showing correct ATT&CK Technique (Process Injection)
Alert showing correct ATT&CK Technique (Process Injection) within process tree
Telemetry showing cross process events, specifically a new thread and open handle into lsass.exe
Telemetry
Specific Behavior
70
Specific Behavior alert showing process hijacking detection for lsass.exe thread create (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts)
General Behavior alert showing DDNA Scan for svchost.exe
General Behavior alert details on DDNA Scan for svchost.exe, including that it appears to inject code into another process
Specific Behavior-Tainted
General Behavior
87
Enrichment showing ReflectiveDllOpenLsass, ProcessHollowingDetected, and LsassInjectedCode eventsEnrichment
15
Specific Behavior alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection
Details of Specific Behavior alert for svchost.exe process injection into lsass.exe with correct ATT&CK Tactic (Defense Evasion, Privilege Escalation) and Technique (Process Injection)
Data within alert showing loaded hashdumpx64.dll as floating executable code
Specific Behavior
60
Telemetry showing process injection into lsass.exe (tainted by parent Process Injection alert)
Specific Behavior alert mapped to the correct ATT&CK Technique (Process Injection)
Telemetry-Tainted
Specific Behavior
67
Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying thread injectionEnrichment
15
None
0
None
0
Alert on prior credential dump tainting svchost.exe process (process with syringe indicating process injection) that was used to access lsass.exe
Telemetry showing svchost.exe accessing and extracting credentials from lsass.exe
Specific Behavior alert for process injection into lsass.exe (inner failure message in screenshot not relevant to tested functionality)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)Telemetry-Tainted
7
None
0
Telemetry showing powershell.exe invoking a remote thread into lsass.exe (Group ID tainted this event but was not shown in this view)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Remote System Discovery

Discovery

(T1018)
13.A.1Empire: 'net group "Domain Computers" /domain' via PowerShellEnrichment of net.exe with related ATT&CK Technique (Account Discovery)
Telemetry showing process tree with net.exe and command-line arguments
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net Group Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Delayed
46
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Remote System Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior-Tainted
Telemetry
37
Telemetry from event tree showing with net.exe with command-line arguments (tainted by parent alert)
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery) (tainted by parent alert)
Telemetry-Tainted
Enrichment-Delayed-Tainted
16
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
Telemetry
General Behavior
40
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1018 -Remote System Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information of domain computers and controllers
Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Telemetry showing execution of net.exe with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
19
Telemetry showing execution of net.exe and command-line argumentsTelemetry
10
Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
4.A.1Cobalt Strike: 'net group "Domain Controllers" /domain' via cmdEnrichment of net.exe with related ATT&CK technique (Account Discovery)
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)Enrichment-Tainted-Configuration Change
9
OverWatch General Behavior alert for net group
Additional process tree view showing net.exe enrichment
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
Enrichment
Telemetry
General Behavior-Delayed
General Behavior-Delayed
79
Telemetry showing net.exe executing with command-line arguments
General Behavior alert for net.exe executing as part of a suspicious execution chain
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net with related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)
Telemetry from event tree showing net with command-line arguments
Telemetry
Enrichment-Delayed
22
Telemetry showing net.exe with command-line arguments
Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance
Enrichment
Telemetry
25
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net group
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers
Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)
Telemetry-Tainted
7
Telemetry showing cmd.exe executing net with command-line arguments
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1
Enrichment of the execution of net.exe as the execution of an enumeration command
Enrichment of cmd.exe executing net with a related ATT&CK Technique (System Network Connections Discovery)
Telemetry
Enrichment
Enrichment
Enrichment
55
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
4.A.2Cobalt Strike: 'net group "Domain Computers" /domain' via cmdTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK technique (Account Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net Group Reconnaissance Command, (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)Enrichment-Tainted-Configuration Change
9
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery)
Additional process tree view showing net.exe enrichment
OverWatch General Behavior alert for net group
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
Enrichment
Telemetry
General Behavior-Delayed
General Behavior-Delayed
79
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
Telemetry showing net.exe executing with command-line arguments
General Behavior alert for net.exe executing as part of a suspicious execution chain
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net group command mapped to related ATT&CK Technique (T1069 - Permission Groups Discovery) and correct Tactic (Discovery)
Telemetry from event tree showing net with command-line arguments
Telemetry
Enrichment-Delayed
22
Telemetry showing net.exe with command-line arguments
Enrichment of net.exe indicating that it was run with commands commonly used for reconnaissance
Enrichment
Telemetry
25
Excerpt from the Managed Defense Report with additional details about net group
Enrichment of net.exe with Net Group Command Execution alert (tagged with related ATT&CK Technique, T1069 - Permission Groups Discovery, and correct Tactic, Discovery)
Excerpt from the Managed Defense Report indicating net group was a reconnaissance command (General Behavior)
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct Tactic (Discovery) and Technique (Remote System Discovery) and a suspicious indicator that the net utility obtained information about domain computers and controllers
Process tree within trace detection showing cmd.exe executing net.exe (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment
22
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific net.exe command not shown)
Telemetry showing execution sequence for net.exe with command-line arguments
Telemetry-Tainted
7
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1
Telemetry showing cmd.exe executing net with command-line arguments
Telemetry
Enrichment
25
Telemetry showing net.exe with command-line argumentsTelemetry
10
Event tree showing net.exe (tainted by launch from process lineage previously identified as malicious)
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Standard Application Layer Protocol

Command and Control

(T1071)
6.B.1Cobalt Strike: C2 channel modified to use HTTP traffic to freegoogleadsenseinfo.comTelemetry showing network connection over TCP port 80 to the C2 domain (could be used in conjunction with modload to determine protocol)
Telemetry showing modloads showing winhttp.dll loaded
Telemetry
10
Telemetry showing outbound C2 traffic over HTTP to www.freegoogleadsense.info (C2 domain)Telemetry
10
None
0
Enrichment of rundll32.exe making an unusual network connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and the Technique (Standard Application Layer Protocol) (tainted by a parent Injected Shellcode alert)
Enrichment of rundll32.exe showing connection over port 80 and the amount of transmitted/received bytes (tainted by a parent Injected Shellcode alert)
Enrichment of rundll32.exe showing winhttp.dll module loaded (tainted by a parent Injected Shellcode alert)
Enrichment-Tainted
12
None
0
Telemetry showing rundll32 making HTTP connectionsTelemetry
10
Excerpt from the Managed Defense Report identifying C2 traffic communicating over HTTP to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)
Telemetry showing HTTP GET requests to 192.168.0.4 (C2 server)
Telemetry
General Behavior-Delayed
37
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)
Telemetry showing that the winhttp.dll module was loaded into the process (PID 6276) that made the network connection
Telemetry
10
None
0
Telemetry showing port 80 command and control traffic as well as the loading of winhttp.dllTelemetry
10
None
0
None
0
1.C.1Cobalt Strike: C2 channel established using DNS traffic to freegoogleadsenseinfo.comNone
0
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exeTelemetry
10
Email excerpt from the OverWatch team indicating they observed suspected command and control or data exfiltration via DNS (Specific Behavior)
Telemetry showing DNS requests
Specific Behavior alert showing abnormally large DNS requests mapped to related ATT&CK Technique, Exfiltration Over Alternative Protocol, and Tactic, Exfiltration) and OverWatch General Behavior alert indicating that traffic was suspicious
Specific Behavior
General Behavior-Delayed
Telemetry
Specific Behavior-Delayed
154
Telemetry showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Process tree showing rundll32.exe making DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Telemetry-Tainted
7
Telemetry showing DNS connections
Telemetry showing DNS requests from rundll32.exe (tainted by parent Malicious File Detection alert)
Telemetry-Tainted
7
Telemetry showing rundll32 making DNS queriesTelemetry
10
Indicator of Compromise alert for DNS lookups (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)
Excerpt from the Managed Defense Report indicating command and control occurred via DNS (Specific Behavior)
Indicator of Compromise
Specific Behavior-Delayed
77
None
0
Telemetry showing DNS requests to the C2 domain (custom query)Telemetry-Configuration Change
7
None
0
None
0
Telemetry showing DNS requests to the C2 domain (tainted by relationship to threat story)Telemetry-Tainted
7
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over HTTPNone
0
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)Telemetry-Tainted
7
Decoded PowerShell (outside of capability) showing download request over HTTP (does not count as a detection)
Telemetry showing encoded PowerShell command that decodes to show HTTP traffic (does not count as a detection)
None
0
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Specific Behavior-Tainted
57
Telemetry showing decoded PowerShell with download request of wdbypass over port 8080Telemetry
10
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypassTelemetry
10
Enrichment of HTTP GET request with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1071 - Standard Application Layer Protocol, and Tactic, Command and Control)Enrichment
15
Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection)None
0
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line argumentsTelemetry-Tainted
7
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)None
0
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)None
0
None
0
11.B.1Empire: C2 channel established using HTTPS traffic to freegoogleadsenseinfo.comTelemetry showing modloads and certificate checkTelemetry
10
Telemetry showing powershell.exe making a network connection over TCP port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 tagged with SERVICE_HTTP (Hypertext Transfer Protocol Over TLS/SSL (HTTPS)) (does not count as a detection)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Telemetry-Tainted
7
Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)
Telemetry showing connection to letsencrypt.org
Telemetry-Tainted
7
An alert for PowerShell downloading a significant amount of data using HTTP(S) (does not count as a detection since it was based on port)
Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain)
Telemetry
10
Excerpt from the Managed Defense Report indicating Empire was configured to communicate over HTTPS (General Behavior)General Behavior-Delayed
27
Alert indicating that powershell.exe queried registered cryptographic provider libraries (does not count as a detection)
Telemetry showing powershell.exe making a network connection over port 443 (does not count as a detection)
None
0
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over an encrypted channel
Alert for C2 domain indicator of compromise
Telemetry within alert showing decoded command-line arguments containing HTTPS
Telemetry-Tainted
Indicator of Compromise-Configuration Change
24
None
0
Telemetry showing network connections, including over port 443Telemetry
10
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (does not count as a detection)None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Network Share Discovery

Discovery

(T1135)
12.E.1.9.2Empire: WinEnum module included enumeration of mapped network drivesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Mapped Network Drives function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)Enrichment
15
None
0
Additional telemetry showing powershell.exe WMI queries for logical disk information
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Telemetry-Tainted
7
12.E.1.9.1Empire: WinEnum module included enumeration of available sharesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Available Shares function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Discovery)Enrichment
15
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Data Encoding

Command and Control

(T1132)
1.C.1Cobalt Strike: C2 channel established using both NetBIOS and base64 encodingNone
0
None
0
Telemetry within an alert showing encoded DNS requests (tainted by parent Exfiltration alert)Telemetry-Tainted
7
Telemetry showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Process tree showing rundll32.exe making encoded DNS queries to freegoogleadsenseinfo.com (C2 Domain) (tainted by parent Injected Shellcode alert)
Telemetry-Tainted
7
None
0
Telemetry showing rundll32 making encoded DNS queriesTelemetry
10
Telemetry showing encoded DNS requests (tainted by parent Cobalt Strike DNS Beacon alert)Telemetry-Tainted
7
None
0
None
0
None
0
None
0
Telemetry showing stream of DNS requests with encoded data
Telemetry showing DNS query for freegoogleadsenseinfo.com (C2 domain) (tainted by relationship to threat story)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Remote Desktop Protocol

Lateral Movement

(T1076)
20.A.1RDP connection made to Creeper (10.0.0.4) as part of execution of persistence mechanismNone
0
Telemetry showing connection to Creeper (10.0.0.4) on port 3389Telemetry
10
Telemetry showing logon type 10 (remote interactive logon) for Kmitnick on CreeperTelemetry
10
Telemetry of connection to port 3389 on Creeper (10.0.0.4)
Enrichment of RDP connection to Creeper (10.0.0.4) identified as using RDP Port and related ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port, Standard Application Layer Protocol)
Enrichment
Telemetry
25
Telemetry showing connection to Creeper (10.0.0.4) on port 3389Telemetry
10
Enrichment of a Remote Desktop connection indicating a successful login to Remote Desktop Services. Enrichment
15
Enrichment of TCP port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique T10176 - Remote Desktop Protocol, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating Remote Desktop Protocol was used to connect to Creeper (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
None
0
Telemetry showing svchost.exe starting terminal service session on Creeper from CodeRed (10.0.1.5)
Telemetry showing Kmitnick RDP logon from CodeRed to Creeper
Telemetry
10
Telemetry showing an inbound connection to Creeper (10.0.0.4) on port 3389Telemetry
10
None
0
None
0
6.C.1Cobalt Strike: C2 channel modified to proxy RDP connection to Conficker (10.0.0.5)Telemetry showing rdpclip.exe running
Telemetry showing network connection over TCP port 3389 to 10.0.0.5 (Conficker)
Enrichment of rdpclip.exe events with correct ATT&CK Technique (Remote Desktop Protocol)
Telemetry
Enrichment
25
Enrichment of outbound TCP port 3389 (RDP) connection with Lateral Movement and Remote Share Access (tainted by parent \"Windows command prompt invoked\" alert)
Telemetry showing inbound TCP port 3389 connection to 10.0.0.5 (Conficker)
Enrichment-Tainted-Configuration Change
Telemetry
19
Telemetry showing logon type 10 (interactive remote login) as user George@shockwave on 10.0.0.5 (Conficker)
Telemetry showing a network connection to 10.0.0.5 (Conficker) over TCP port 3389
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)
Telemetry
General Behavior-Delayed
37
Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent Injected Shellcode alert, listed as Owner process)
Telemetry showing cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) with Remote Interactive Logon Type
Telemetry showing rdpclip.exe executing on 10.0.0.5 (Conficker)
Telemetry-Tainted
7
Telemetry showing Type 10 (interactive remote) login event by user George on Conficker
Event tree view of telemetry showing port 3389 connection to 10.0.0.5 (Conficker) (tainted by parent Process Injection alert)
Telemetry-Tainted
7
Telemetry showing rundll32.exe making network connections to 10.0.0.5 (Conficker) over port 3389Telemetry
10
Enrichment of RDP connection from rundll32.exe with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)Enrichment
15
Telemetry showing a connection to 10.0.0.5 (Conficker) over TCP port 3389
Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Lateral Movement) and the Technique (Remote Desktop Protocol)
Telemetry
Enrichment
25
Graph showing movement from Debbie account to George
Telemetry showing execution sequence for cmd.exe connection over RDP to 10.0.0.5 (Conficker)
Telemetry showing user logon activity on 10.0.0.5 (Conficker) showing George with a logon type 10 RemoteInteractive logon event
Telemetry showing execution sequence on 10.0.0.5 (Conficker) showing George logon
Telemetry
10
Telemetry showed cmd.exe establishing an outbound RDP connection over port 3389 to 10.0.0.5 (Conficker) (tainted by a parent process injection alert on cmd.exe)
General Behavior alert for an unexpected process using the RDP port (tainted by a parent process injection alert on cmd.exe)
Telemetry-Tainted
General Behavior-Tainted
34
Telemetry showing cmd.exe connecting over port 3389 (RDP) to 10.0.0.5 (Conficker)Telemetry
10
Telemetry showing port 3389 connection (tainted by relationship to threat story shown in Group ID)Telemetry-Tainted
7
10.B.1RDP connection made to Conficker (10.0.0.5) as part of execution of persistence mechanismEnrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)
Telemetry from process tree showing rdpclip.exe running as user Jesse
Telemetry
Enrichment
25
Enrichment of TCP port 3389 (RDP) connection to 10.0.0.5 (Conficker) with conditions Lateral Movement and Remote Share Access (tainted by the parent \"Windows command prompt invoked\" alert)Enrichment-Tainted-Configuration Change
9
Telemetry showing user logon by Jesse to Conficker with type 10 (interactive logon)
Telemetry showing logged-on user activity, including the use of rdpclip.exe
Email excerpt from the OverWatch team indicating suspicious communications over 3389 (RDP) were observed (General Behavior)
Telemetry
General Behavior-Delayed
37
Telemetry showing rundll32.exe process used to proxy connection over port 3389 from Nimda (10.0.1.6) to Conficker (10.0.0.5) (tainted by a parent Injected Shellcode alert)
Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon Type
Telemetry showing a TCP port 3389 connection to Conficker (10.0.0.5)
Telemetry-Tainted
7
Telemetry showing remote connections over port 3389 to 10.0.0.5 (Conficker)
Telemetry showing Type 10 (interactive) logon for Jesse
Telemetry
10
Telemetry showing a RemoteInteractive connection over port 3389 to Conficker (10.0.0.5)Telemetry
10
Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker
Excerpt from Managed Defense Report indicating account Jesse was used to logon via Remote Desktop Protocol (Specific Behavior)
Enrichment of port 3389 connection with RDP Network Connection alert (tagged with correct ATT&CK Technique, T1076 - Remote Desktop Protocol, and Tactic, Lateral Movement)
Enrichment
Telemetry
Specific Behavior-Delayed
82
Enrichment of the rundll32.exe that made the network connection with the correct ATT&CK Tactic (Lateral Movement) and Technique (Remote Desktop Protocol)
Telemetry showing a connection over port 3389 to Conficker (10.0.0.5) (tainted by parent alert on rundll32.exe)
Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5)
Telemetry-Tainted
Enrichment
22
Telemetry showing successful port 3389 connection to Conficker (10.0.0.5)Telemetry
10
Enrichment of the network connection over port 3389 with the correct ATT&CK Technique (Remote Desktop Protocol)
Telemetry showed a successful incoming connection to Conficker (10.0.0.5) over port 3389
Telemetry
Enrichment
25
None
0
Threat group identified as malicious, including rundll32.exe (PID 184) proxying the port 3389 connection (port 3389 connection not specifically shown in this view, but it identifies the rundll32.exe process tainting the connection by Group ID)
Telemetry showing connection over port 3389 to 10.0.0.5 (Conficker)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Scheduled Task

Execution, Persistence, Privilege Escalation

(T1053)
10.A.2Scheduled task executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (updater.dll) using Rundll32Telemetry from process tree showing updater.dll executed by rundll32.exe
Telemetry from process tree showing svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" arguments
Telemetry
10
Telemetry showing svchost.exe executing rundll32.exe (tainted by parent \"Sponsor process started V2\" alert)Telemetry-Tainted
7
Telemetry showing rundll32.exe executing updater.dll (tainted by the parent OverWatch alert)Telemetry-Tainted
7
Telemetry showing rundll32.exe executing update.dat (tainted by a parent Injected Shellcode alert)
Parent alert for Injected shellcode into rundll32.exe
Telemetry-Tainted
7
Telemetry showing rundll32.exe executing updater.dll (tainted by Malicious File Detection alert)
Telemetry showing rundll32.exe executing updater.dll (tainted by Process Injection alert)
Telemetry-Tainted
7
Telemetry showing rundll32 starting updater.dll, tainted by an "abnormal rundll32 launch" alertTelemetry
10
Excerpt from Managed Defense Report indicating the Resume Viewer Update Checker scheduled task executed updater.dll with rundll32.exe (Specific Behavior)
Parent Rundll32 Execution alert that tainted updater.dll telemetry (tagged with related ATT&CK Technique, T1085 - Rundll32, and Tactic, Defense Evasion, Execution; does not include specific Scheduled Task information)
Telemetry showing rundll32.exe executing updater.dll
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing rundll32.exe executing updater.dll with a parent of svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule"Telemetry
10
Telemetry showing execution sequence for svchost.exe parent of rundll32.exe process running with \"-k netsvcs -p -s Schedule\" argumentsTelemetry
10
Telemetry showing rundll32.exe executing updater.dll
Telemetry showing svchost.exe running with command-line arguments "-k netsvcs -p -s Schedule"
Telemetry
10
Telemetry showing rundll32.exe executing updater.dllTelemetry
10
Telemetry showing rundll32.exe executing updater.dll
Group ID query showing both autoupdate.bat and updater.dll persistence execution
Telemetry
10
7.C.1Cobalt Strike: 'schtasks' via cmd to create scheduled task that executes a DLL payload (updater.dll)Specific Behavior alert mapped to correct ATT&CK Technique (T1053 - Scheduled Task)
Telemetry showing process tree containing schtasks.exe and full command a task creation
Telemetry
Specific Behavior
70
Specific Behavior alert on \"Schtasks with create command\" for schtasks.exe run from cmd.exeSpecific Behavior
Telemetry
70
Email excerpt from OverWatch team indicating they observed a scheduled task establishing persistence (Specific Behavior)
Telemetry showing creation of the scheduled task
General Behavior alert from OverWatch indicating scheduled task creation was suspicious (tainted by previous cmd.exe detection by orange line indicating medium severity)
Telemetry
General Behavior-Delayed-Tainted
Specific Behavior-Delayed
91
Telemetry showing the Resume Viewer Update Checker scheduled task
Enrichment of schtasks.exe with the correct ATT&CK Tactic (Persistence)
Enrichment
Telemetry
25
Specific Behavior alert for scheduled task creation mapped to correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection alert)
Enriched event tree showing enrichment of scheduled task with correct ATT&CK Technique (T1053 - Scheduled Task) and Tactic (Persistence) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)
Enrichment of scheduled task from persistence hunt
Enrichment
Telemetry-Tainted
Enrichment-Delayed-Tainted
Specific Behavior-Tainted
88
Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistenceTelemetry
10
Excerpt from the Managed Defense Report indicating updater.dll persisted through a scheduled task (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about schtask
Enrichment of schtasks.exe with Scheduled Task Activity alert (tagged with correct ATT&CK Technique, T1053 - Scheduled Task, and Tactic, Execution, Persistence, Privilege Escalation)
Enrichment
Specific Behavior-Delayed
72
Specific Behavior alert for a task being created that runs an executable (via rundll32) under system rights at Windows logon, tagged with the correct ATT&CK Tactics (Execution, Persistence, Privilege Escalation) and Technique (Scheduled Task)
Telemetry showed cmd.exe creating the "Resume Viewer Update Checker" scheduled task via schtasks.exe (tainted by a trace detection on cmd.exe)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing schtasks.exe with command-line arguments scheduling a task for persistence
Alert for low-reputation DLL persisting through rundll32.exe as a scheduled task
Telemetry
Specific Behavior-Delayed
67
Enrichment of schtasks.exe creating the Resume Viewer Update Checker scheduled task with the correct ATT&CK Technique (Scheduled Task)
Telemetry showing schtasks.exe creating the scheduled task (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for a commonly abused host process scheduling a task (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for the creation of a new scheduled task (tainted by a parent process injection alert on cmd.exe)
Telemetry-Tainted
Specific Behavior-Tainted
Specific Behavior-Tainted
Enrichment
136
Telemetry showing the schtask.exe and command-line argumentsTelemetry
10
Telemetry showing schtask.exe and associated command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Data Staged

collection

(T1074)
18.B.1Empire: 'copy' via PowerShell staged a file (Shockwave_network.vsdx) from a network shared drive (Wormshare) on Conficker (10.0.0.5) in the Recycle Bin (C:\$Recycle.Bin) on CodeRed (10.0.1.5)Specific Behavior alert on the file write of the .vsdx file in the Recycle Bin (showing red severity score, mapped to correct ATT&CK Technique, T1074 - Data Staged)
Telemetry showing creation of the .vsdx file in the Recycle Bin
Telemetry
Specific Behavior
70
Telemetry showing PowerShell copying .vsdx file from network share to Recycle Bin (tainted by the parent \"Powershell executed encoded commands\" alert)Telemetry-Tainted
7
Email excerpt sent by OverWatch team indicating they observed the .vsdx file being copied to Recycle Bin for staging (Specific Behavior)
Telemetry showing the .vsdx being written into the Recycle Bin (event_SimpleName of OoxmlFileWritten)
Telemetry
Specific Behavior-Delayed
67
Telemetry of file create/write of vsdx (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Telemetry showing the file creation of the .vsdx file in the Recycle Bin
Event tree showing creation of the .vsdx file (tainted by parent alerts on powershell.exe)
Telemetry-Tainted
7
Telemetry showing the copy of the .vsdx file from the network drive to the Recycle Bin
Telemetry showing a file create event for the .vsdx file in the Recycle Bin
Telemetry
10
Specific Behavior alert for File Write to Root of Recycle Bin
Additional telemetry showing file write of .vsdx with PowerShell File Write alert
Telemetry showing powershell.exe file write of .vsdx to the Recycle Bin with PowerShell File Write alert
Telemetry-Tainted
Specific Behavior
67
Specific Behavior alert for PowerShell creating a file in the Recycle Bin, tagged with the correct ATT&CK Tactic (Collection) and Technique (Data Staged).
Telemetry showing file creation in the Recycle Bin (tainted by parent alert on cmd.exe)
Telemetry-Tainted
Specific Behavior
67
Execution sequence showing PowerShell Copy-Item cmdlet execution (does not count as a detection)None
0
Telemetry showing file read and write events for the .vsdx file from the network shared drive on 10.0.0.5 (Conficker) to the Recycle Bin (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
Exported telemetry of threat story (taints event) showing .vsdx file copy and writeTelemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Application Window Discovery

Discovery

(T1010)
8.C.1Cobalt Strike: Keylogging capability included residual enumeration of application windowsNone
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
15.A.1Empire: Built-in keylogging module included residual enumeration of application windowsNone
0
None
0
Telemetry showing decoded PowerShell script containing the API call GetForegroundWindowTelemetry
10
None
0
None
0
Telemetry showing powershell.exe executing the GetForegroundWindow methodTelemetry
10
None
0
None
0
None
0
Telemetry showing decoded PowerShell script containing the API call GetForegroundWindow
Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window
Telemetry
Indicator of Compromise
30
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

(T1078)
16.B.1Empire: 'net use' via PowerShell to successfully authenticate to Conficker (10.0.0.5) using credentials of user KmitnickTelemetry showing process tree with five different net.exe logon attempts, including a success
Telemetry showing successful logon via net.exe
Telemetry
10
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)
Telemetry-Tainted
7
OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Telemetry from process tree showing successful net.exe connection using valid credentials of Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
Telemetry-Tainted
General Behavior-Delayed-Tainted
31
Enrichment of a logon attempt via net.exe using the valid credentials of user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Enrichment of successful net.exe connection (tainted by parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
28
Telemetry showing a logon event for user Kmitnick on Conficker (10.0.0.5)
Telemetry showing net.exe logon attempt
Telemetry
10
Enrichment of net.exe logon attempt by Kmitnick with Net Use Command Execution alert
Telemetry showing successful logon of user Kmitnick
Enrichment
Telemetry
25
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Telemetry showing a login event on Conficker (10.0.0.5) for user Kmitnick
Telemetry-Tainted
7
Telemetry showing 10.0.1.5 (CodeRed) system accessed resources on 10.0.0.5 (Conficker)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry showing user Kmitnick login activity on 10.0.0.5 (Conficker)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
7
Enrichment of an lsass.exe event with the correct ATT&CK Technique (Valid Accounts).
Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing logon attempts via net.exe using valid credentials of user KmitnickTelemetry
10
Telemetry showing net.exe logon attempts, the last of which using valid credentials for user Kmitnick (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Telemetry-Tainted
7
10.B.1RDP connection to Conficker (10.0.0.5) authenticated using previously added user JesseEnrichment of rdpclip.exe with correct ATT&CK Technique (Remote Desktop Protocol)
Telemetry from process tree showing rdpclip.exe running as user Jesse
Telemetry
Enrichment
25
Telemetry showing explorer.exe running as JesseTelemetry
10
Telemetry showing user logon by Jesse to ConfickerTelemetry
10
Telemetry of logon session for Jesse from Nimda (10.0.1.6) to Conficker (10.0.0.5) with Remote Interactive Logon TypeTelemetry
10
Telemetry showing userinit.exe running as Jesse (tainted by parent \"Start Folder Persistence\" alert)Telemetry-Tainted
7
Telemetry showing a RemoteInteractive connection as Jesse over port 3389 to Conficker (10.0.0.5)Telemetry
10
Excerpt from Managed Defense Report indicating account Jesse was used to logon to Conficker as part of Lateral Movement (Specific Behavior)
Telemetry showing Logon Type 10 (interactive) event for Jesse logging on to Conficker
Telemetry
Specific Behavior-Delayed
67
Telemetry showing a remote interactive logon for Jesse to Conficker (10.0.0.5)Telemetry
10
Telemetry showing local user account Jesse first and last seen logons on ConfickerTelemetry
10
Telemetry showing userinit.exe as well as explorer.exe spawn as the user JesseTelemetry
10
Telemetry showing \"unregmp2.exe /FirstLogon\" (associated with user logon)
Telemetry showing user name \"Jesse J\" within Machine Properties
Telemetry
10
Telemetry showing last logged on user identified as JesseTelemetry
10
16.D.1Empire: 'net use' via PowerShell to successfully authenticate to Creeper (10.0.0.4) using credentials of user KmitnickTelemetry showing process tree with logon using valid account credentialsTelemetry
10
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)Telemetry-Tainted
7
Telemetry showing successful net use connection by Kmitnick in the process tree view (tainted by previous powershell.exe detection by red line indicating high severity)Telemetry-Tainted
7
General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Enrichment of successful net.exe connection (tainted by parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
28
Telemetry showing a logon event for user Kmitnick on Creeper (10.0.0.4)
Telemetry showing net.exe with command-line arguments
The capability enriching the net.exe connection using valid credentials of Kmitnick with an alert for possible lateral movement
Enrichment
Telemetry
25
Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)
Enrichment of net1.exe logon attempt by Kmitnick with Net Use Command Execution alert
Enrichment
Specific Behavior-Delayed
72
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)Telemetry-Tainted
7
Telemetry from query showing successful Kmitnick logon event for Creeper
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry-Tainted
7
Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing a event for a successful login by user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
7
Telemetry showing logon attempts via net.exe using valid credentials of user KmitnickTelemetry
10
Telemetry showing a net.exe logon attempt using valid credentials for user Kmitnick (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Brute Force

Credential Access

(T1110)
16.B.1Empire: Successful authentication to Conficker (10.0.0.5) using credentials of user Kmitnick as a result of the brute force password sprayingTelemetry showing process tree with five different net.exe logon attempts, including a success
Enrichment of the individual net.exe logon attempts, successful logons mapped to related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
Telemetry
Enrichment-Configuration Change
22
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed remote commands\" alert)
Enrichment-Tainted
Telemetry-Tainted
19
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)
OverWatch General Behavior alert indicating successful net use connection by Kmitnick was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Telemetry from process tree showing successful net.exe connection by Kmitnick (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
Telemetry-Tainted
General Behavior-Delayed-Tainted
General Behavior-Delayed
58
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Telemetry showing event tree with all 5 net commands associated with brute force failures and eventual success (tainted by parent PowerShell alert)
Enrichment of successful net.exe connection with \"Mounting Hidden Share\" and Lateral Movement tags (tainted by parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
28
Telemetry showing net.exe logon attemptTelemetry
Enrichment
25
Enrichment of net.exe with Net Use Command Execution alert (tagged with related ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Telemetry showing successful logon of user Kmitnick
Enrichment
Telemetry
25
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility
Telemetry-Tainted
Specific Behavior
67
Specific Behavior alert for brute force attempt to remote SMB shares
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing an event for the logon credentials being validated by the DC (tainted by a parent alert on wscript.exe)
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
7
Telemetry showing logon attempts via net.exe and command-line argumentsTelemetry
10
Telemetry showing net.exe logon attempts (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Telemetry-Tainted
7
16.A.1Empire: 'net use' via PowerShell to brute force password spraying authentication attempts to Morris (10.0.1.4) and Nimda (10.0.1.6) targeting credentials of users Kmitnick, Bob, and FriedaEnrichment of the individual net.exe logon attempts with tag \"Credential Access using Admin Shares - Failed Attempts\"
Telemetry showing process tree with four different net.exe logon attempts
Telemetry
Enrichment-Configuration Change
22
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment-Tainted
12
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally (General Behavior)
Telemetry showing net.exe logon attempts
Telemetry showing details for the logon attempt into the 10.0.1.4 (Morris) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)
Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry showing details for the logon attempt into the 10.0.1.6 (Nimda) showing UserLogonFlags_decimal is equal to 6 (attempt for local admin) and UserLogonFailed (no distinction between authentication failure and authorization failure)
Telemetry
General Behavior-Delayed-Tainted
General Behavior-Delayed
61
Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of net.exe with related ATT&CK Technique (T1077 - Windows Admin Shares) and Tactics (Execution, Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Enrichment of each net.exe connection attempt (tainted by parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
28
Telemetry showing net.exe logon attemptsTelemetry
Enrichment
25
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Bob; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Frieda; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating the attacker attempted to access systems using four accounts (General Behavior)
Enrichment of net.exe with Net Use Command Execution alert (showing logon attempts for the user Kmitnick; tagged with related ATT&CK Technique, T1077 - Windows Admin Share, and Tactic, Lateral Movement)
Telemetry showing failed logon attempt for Kmitnick
Enrichment
Telemetry-Configuration Change
General Behavior-Delayed
49
Specific Behavior alert for powershell.exe performing a potential brute force password hack via the net utility
Telemetry showing powershell.exe executing repeated logon attempts via net.exe (tainted by a parent alert on powershell.exe)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Specific Behavior alert for brute force attempt to remote SMB shares
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
System access history from CodeRed to Nimda and Morris
Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server
Telemetry-Tainted
Specific Behavior-Delayed
64
General Behavior alert for a sensitive administrative shares mapping with unexpected parent
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
General Behavior
37
Telemetry showing logon attempts via net.exe and command-line argumentsTelemetry
10
Telemetry showing net.exe logon attempts and corresponding exit codes
Telemetry showing net.exe logon attempts (tainted by relationship to threat story)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Screen Capture

Collection

(T1113)
8.D.1Cobalt Strike: Built-in screen capture capability executed to capture screenshot of current window of user DebbieTelemetry showing modloads and crossprocess events (does not count as a detection)None
0
Telemetry showing remote thread being created into explorer.exe (does not count as a detection)
DDNA JSON output showing the process had the capability to capture screen shots (does not count as a detection; DDNA scan was manually initiated)
None
0
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)None
0
Alert for explorer.exe loading a Meterpreter agent (does not count as detection)
Alert showing loaded screenshotx64.dll module (does not count as a detection)
None
0
Strings output extracted from Process Injection alert, showing BitBlt and CreateCompatibleBitmap that could be associated with screen capture, but no evidence of execution (does not count as a detection)None
0
None
0
None
0
None
0
Enrichment of explorer.exe with ScreenshotTakenEnrichment-Configuration Change
12
Enrichment of the execution of a specific API call using screen capture and suspicious activityEnrichment
15
Floating Code module generated from DLL injection showing multiple jpeg components (does not count as a detection)None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Create Account

Persistence

(T1136)
7.A.1Added user Jesse to Conficker (10.0.0.5) through RDP connectionTelemetry showing Registry modifications for new user Jesse
Enrichment of lsass.exe with tag \"Create Accounts using GUI\"
Telemetry
Enrichment-Configuration Change
22
Child event of Specific Behavior alert showing new account added to local admins group
Specific Behavior alert for \"New user account created\" and event showing account name was Jesse
Specific Behavior-Configuration Change
57
Telemetry showing creation of the user Jesse with the user RID 000003E8
Telemetry showing user RID 000003E8 (corresponding to the user Jesse) added to the admin group (00000220), a well-known security identifier
Telemetry showing group membership of the user Jesse, including Remote (0000022B), Admins (00000220), and Users (00000221), which are well-known security identifiers
Telemetry
10
Telemetry showing lsass.exe creating a Registry key for user JesseTelemetry
10
None
0
Telemetry showing the creation of the new user JesseTelemetry
10
Excerpt from the Managed Defense Report showing the creation of the user Jesse (Specific Behavior)
Telemetry showing creation of user Jesse
Telemetry
Specific Behavior-Delayed
67
Telemetry showing creation of user account JesseTelemetry
10
Telemetry showing creation of user account JesseTelemetry-Configuration Change
7
Telemetry showing mmc.exe creating a Registry key for user Jesse
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Create Account)
Telemetry
Enrichment
25
None
0
Telemetry showing creation of user account JesseTelemetry
10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
System Information Discovery

Discovery

(T1082)
2.E.2Cobalt Strike: 'net config workstation' via cmdEnrichment of net.exe with correct ATT&CK Technique (System Information Discovery)
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net config not specifically shown)
Email excerpt from the OverWatch team indicating net config was a reconnaissance command (General Behavior)
Telemetry showing net with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing cmd.exe executing net executing with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry
Enrichment-Tainted
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe indicating it is commonly used for reconnaissance
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Telemetry showing net.exe with command-line arguments
General Behavior
Enrichment
Telemetry
General Behavior
85
Excerpt from the Managed Defense Report indicating net config was a reconnaissance command (General Behavior)
Enrichment of net.exe with Net Config Command Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about net
Enrichment
General Behavior-Delayed
42
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of suspicious sequence of exploration activities alert with tainted rundll32.exe child processes showing net.exe with command-line arguments
Telemetry-Tainted
7
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd.exe executing net with the correct ATT&CK Technique (System Information Discovery)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
34
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.E.1Cobalt Strike: 'systeminfo' via cmdTelemetry from process tree showing systeminfo.exe
Enrichment of systeminfo.exe with correct ATT&CK Technique (System Information Discovery)
Telemetry
Enrichment
25
Telemetry showing systeminfo.exe (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (systeminfo not specifically shown)
OverWatch General Behavior alert indicating systeminfo.exe was suspicious
Email excerpt from the OverWatch team indicating systeminfo was a reconnaissance command (General Behavior)
Telemetry showing systeminfo
Telemetry-Tainted
General Behavior-Delayed
General Behavior-Delayed
61
Enrichment of systeminfo.exe executing with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing systeminfo
Enrichment-Tainted
Telemetry
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing systeminfo.exe (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Enrichment of systeminfo.exe indicating it could be used for reconnaissance.
General Behavior alert showing that a spawned process (cmd.exe running systeminfo) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Enrichment
General Behavior
45
Enrichment of systeminfo.exe with Systeminfo Execution alert (tagged with correct ATT&CK Technique, T1082 - System Information Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about systeminfo
Excerpt from the Managed Defense Report indicating systeminfo was a reconnaissance used to obtain system details (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing the systeminfo.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of systeminfo.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Information Discovery) and a suspicious indicator that system configuration info was queried
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for systeminfo.exe
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing systeminfo.exe
General Behavior alert on suspicious sequence of exploration activities
Telemetry
General Behavior-Delayed
37
Enrichment of cmd.exe executing systeminfo with the correct ATT&CK Technique (System Information Discovery)
Enrichment of the execution of systeminfo.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing cmd.exe executing systeminfo with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
34
Telemetry showing systeminfo.exeTelemetry
10
Telemetry showing systeminfo.exe (tainted by relationship to threat story)Telemetry-Tainted
7
12.E.1.6.1Empire: WinEnum module included enumeration of system informationNone
0
None
0
Telemetry showing the Get-Sysinfo functionTelemetry
10
None
0
Interactive Shell events showing the WinEnum script and the Get-SysInfo function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
Telemetry of execution sequence showing Get-SysInfo invocationTelemetry
10
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire SysInfoIndicator of Compromise
20
None
0
Additional telemetry showing powershell.exe WMI queries for operating system information
Telemetry showing powershell.exe executing WMI queries (tainted Group ID not shown but was the search parameter)
Telemetry-Tainted
7
12.E.1.6.2Empire: WinEnum module included enumeration of Windows update informationNone
0
None
0
None
0
None
0
None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
Telemetry of execution sequence showing Get-HotFix invocationTelemetry
10
None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
File and Directory Discovery

Discovery

(T1083)
18.A.1Empire: 'Get-ChildItem' via PowerShell to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)None
0
None
0
None
0
None
0
None
0
Telemetry showing powershell.exe executing the Get-ChildItem command Telemetry
10
None
0
None
0
Query showing .vsdx PowerShell file search script that was executedTelemetry
10
Telemetry showing an event with the execution of the Get-ChildItem command (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
None
0
8.A.1Cobalt Strike: 'dir /s /b "\\conficker\wormshare"' via cmdEnrichment of cmd.exe with correct ATT&CK Technique (T1083 - File and Directory Discovery)
Telemetry from process tree showing dir with command-line arguments
Telemetry
Enrichment
25
Telemetry showing dir with command-line arguments (tainted by the parent \"Powershell process created\" alert)Telemetry-Tainted
7
Process tree view showing cmd.exe that ran dir (dir not specifically shown, cmd.exe is second from top and tainted by previous detection by orange line indicating medium severity)
Telemetry showing cmd.exe running dir with command-line arguments (search was on commands running within the past 10 minutes)
Telemetry-Tainted
7
Enrichment of cmd.exe executing the dir with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of dir with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Tainted-Delayed
16
Enrichment of cmd.exe executing the dir command indicating that the parameter was a directory listing of a network drive associated with potential reconnaissance.
General Behavior alert showing that a spawned process (cmd.exe running dir) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
General Behavior alert for rundll32.exe launching cmd.exe (executing dir)
General Behavior
Enrichment
General Behavior
75
Enrichment of cmd.exe executing dir with Dir Command alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and, Tactic, Discovery)Enrichment
15
Telemetry showing cmd.exe executing the dir command (tainted by a trace detection on cmd.exe)
Enrichment of cmd.exe executing the dir command with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence of cmd.exe executing dir with command-line arguments
Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted dir (dir command not shown)
Telemetry-Tainted
7
Enrichment of cmd.exe executing dir with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)
Telemetry showed cmd.exe executing dir with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of cmd executing dir with command-line arguments as the execution of the dir command on a network location (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing cmd.exe executing dir with command-line argumentsTelemetry
10
Telemetry showing cmd.exe executing dir with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
8.A.2Cobalt Strike: 'tree "C:\Users\debbie"' via cmdEnrichment of tree.com with correct ATT&CK Technique (T1083 - File and Directory Discovery)
Telemetry from process tree showing tree.com with command-line arguments
Telemetry
Enrichment
25
Telemetry showing tree with command-line arguments (tainted by the parent \"Powershell process created\" alert)Telemetry-Tainted
7
Additional details for OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)
OverWatch General Behavior alert indicating tree.com was suspicious (tainted by previous detection by orange line indicating medium severity)
Telemetry showing cmd.exe running tree with command-line arguments (search was on commands running within the past 10 minutes)
Email excerpt from the OverWatch team indicating tree was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed-Tainted
General Behavior-Delayed
58
Enrichment of cmd.exe executing the tree with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery) (tainted by a parent Injected Shellcode alert)Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of tree with the correct ATT&CK Technique (T1083 - File and Directory Discovery) and Tactic (Discovery) (tainted by parent Malicious File Detection, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Tainted-Delayed
16
General Behavior alert showing that a spawned process (cmd.exe running tree) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Enrichment of tree.exe with a tag identifying the command as enumeration
General Behavior alert for rundll32.exe launching cmd.exe (executing tree)
General Behavior
Enrichment
General Behavior
75
Enrichment of cmd.exe executing tree with Tree Command Execution alert (tagged with correct ATT&CK Technique, T1083 - File and Directory Discovery and Tactic, Discovery)
Excerpt from the Managed Defense Report identifying a directory listing of Debbie's profile directory (Specific Behavior)
Excerpt from Managed Defense Report showing additional details about tree
Enrichment
Specific Behavior-Delayed
72
Telemetry showing cmd.exe executing tree.exe (tainted by a trace detection on cmd.exe)
Enrichment of tree.exe with the correct ATT&CK Tactic (Discovery) and Technique (File and Directory Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence of cmd.exe executing tree.com with command-line arguments
Process tree view of rundll32.exe \"Unexpected behavior from process run with no command-line arguments\" alert that tainted tree (tree command not shown)
Telemetry-Tainted
7
Enrichment of cmd.exe executing tree with command-line arguments with the correct ATT&CK Technique (File and Directory Discovery)
Telemetry showed cmd.exe executing tree with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
22
Telemetry showing cmd.exe executing tree with command-line argumentsTelemetry
10
Telemetry showing cmd.exe executing tree with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
12.E.1.4.2Empire: WinEnum module included enumeration of interesting filesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Interesting Files function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)Enrichment
15
None
0
None
0
12.E.1.4.1Empire: WinEnum module included enumeration of recently opened filesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Last 5 files opened function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Enrichment of powershell.exe executing with command-line arguments as suspicious and the correct ATT&CK Technique (File and Directory Discovery)Enrichment
15
None
0
None
0
9.A.1Cobalt Strike: 'ls' (List) via Win32 APIs to enumerate a network shared drive (Wormshare) on Conficker (10.0.0.5)None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.K.1Empire: 'type' via PowerShell to remotely enumerate a specific file (update.vbs) on Creeper (10.0.0.4)None
0
None
0
None
0
None
0
None
0
Telemetry showing powershell.exe executing the type command with command-line argumentsTelemetry
10
None
0
None
0
None
0
Telemetry showing a file read event for update.vbs (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
Telemetry
10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Credentials in Files

Credential Access

(T1081)
15.B.1Empire: 'get-content' via PowerShell to collect sensitive file (it_tasks.txt) from a network shared drive (Wormshare) on Conficker (10.0.0.5)None
0
None
0
Telemetry showing decoded PowerShell script containing the function Get-Keystrokes
Excerpt from email sent by OverWatch team indicating keylogging activity occurred (Specific Behavior)
Telemetry
Specific Behavior-Delayed
67
None
0
None
0
Telemetry showing powershell.exe executing the Get-Content cmdlet on IT_tasks.txtTelemetry
10
None
0
None
0
Telemetry showing "Get-Content" cmdlet (does not count as a detection)None
0
Telemetry showing a file read event for IT_tasks.txtTelemetry
10
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
PowerShell

Execution

(T1086)
13.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.A.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
12.F.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
17.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
17.B.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.F.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
17.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.G.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.G.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.D.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.D.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
18.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.E.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
18.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.E.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
17.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.K.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
11.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.H.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.A.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
19.D.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
19.D.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.G.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
16.I.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.J.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.B.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
15.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
13.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
13.B.2None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
13.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
16.C.1Not tested
0
Not tested
0
Not tested
0
None
0
Not tested
0
None
0
None
0
None
0
Not tested
0
None
0
Not tested
0
Not tested
0
16.L.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Account Discovery

Discovery

(T1087)
2.G.2Cobalt Strike: 'net user george /domain' via cmdTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (Account Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Reconnaissance Tool and Net User Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)
Telemetry showing net with command-line arguments
Email excerpt from the OverWatch team indicating net user was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing net executing with command-line arguments
Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Telemetry
Enrichment-Tainted
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Enrichment of net.exe with a tag identifying the command as enumeration
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (cmd.exe)
Enrichment
General Behavior
45
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about net
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing discovery of George permissions by Debbie from Nimda at the domain controller
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry showing execution sequence for net.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of net1.exe executing with the correct ATT&CK Technique (Account Discovery)
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
34
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
12.G.1Empire: 'net user' via PowerShellTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted
12
Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts)
Telemetry from event tree showing net.exe with command-line arguments (tainted by parent PowerShell alert)
Telemetry-Tainted
Enrichment-Tainted-Delayed
16
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior
Telemetry
40
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used to capture information about local users (General Behavior)
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)
Continued threat story showing related processes
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Telemetry-Tainted
7
12.G.2Empire: 'net user /domain' via PowerShellTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with related ATT&CK Technique (T1069 - Permission Groups Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted
12
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net user was part of additional malicious discovery activity (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1087 - Account Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Tainted-Delayed
16
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior
Telemetry
40
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery).
Telemetry-Tainted
Enrichment
22
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Specific Behavior alert showing domain user enumeration from Bob on CodeRed against Domain Controller on Creeper
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
Specific Behavior-Delayed
91
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Account Discovery)
Telemetry-Tainted
Enrichment
22
Telemetry showing net.exe with command-line argumentsTelemetry
10
Threat story showing initial compromise alert and powershell.exe tainting net.exe
Continued threat story showing initial compromise alert and powershell.exe tainting net.exe
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Telemetry-Tainted
7
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility displayed user account informationTelemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Telemetry showing mmc.exe running lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) Telemetry-Tainted
7
Telemetry showing mmc.exe running lursmgr.mscTelemetry
10
Telemetry showing lusrmgr.msc running from mmc.exeTelemetry
10
Telemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Telemetry showing mmc.exe running lursmgr.mscTelemetry
10
Telemetry showing mmc.exe running lusrmgr.exe Telemetry
10
Telemetry showing lusrmgr.msc running from mmc.exeTelemetry
10
Telemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Telemetry showing lusrmgr.msc running from mmc.exe
Enrichment of mmc.exe as reconnaissance via the MMC utility with local users and groups view
Telemetry
Enrichment
25
None
0
None
0
2.G.1Cobalt Strike: 'net user /domain' via cmdEnrichment of net.exe with correct ATT&CK Technique (Account Discovery)
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Enrichment of net.exe with condition Net User Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted
12
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net user not specifically shown)
Telemetry showing net with command-line arguments
Telemetry-Tainted
7
Process tree showing enriched net.exe executing with the correct ATT&CK Technique (Account Discovery) (tainted by a parent Injected Shellcode alert)
Enrichment of net.exe executing with the correct ATT&CK Tactic (Account Discovery) and Technique (Discovery)
Telemetry showing net executing with command-line arguments
Telemetry
Enrichment-Tainted
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
Enrichment of net.exe with a tag identifying the command as enumeration
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
General Behavior
Enrichment
45
Excerpt from the Managed Defense Report indicating net user was a reconnaissance command (General Behavior)
Excerpt from the Managed Defense Report with additional details about net
Enrichment of net.exe with Net User Command Execution alert (tagged with correct ATT&CK Technique, T1087 - Account Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Owner/User Discovery) and a suspicious indicator that information of users/groups was obtained
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Telemetry-Tainted
Enrichment
22
General Behavior alert on suspicious sequence of exploration activities
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment-Tainted
19
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Rundll32

Defense Evasion, Execution

(T1085)
1.A.1Previously executed batch file (pdfhelper.cmd) launched a DLL payload (update.dat) using Rundll32Telemetry from process tree showing Resume Viewer.exe execution sequence with rundll32.exe
Enrichment of rundll32.exe execution with correct ATT&CK Technique (T1085, corresponding to Rundll32)
Telemetry
Enrichment
25
Telemetry showing cmd.exe launched rundll32.exe (tainted by the Script File Created alert) Telemetry-Tainted
7
Specific Behavior alert showing rundll32 execution (mapped to correct ATT&CK Technique, Rundll32, and Tactic, Defense Evasion. Green arrow indicates injection.)
OverWatch General Behavior alert indicating rundll32 execution was suspicious
Specific Behavior
General Behavior-Delayed
Telemetry
97
Specific Behavior alert for rundll32.exe, identified as a compromised legitimate process, injecting shellcode into rundll32.exe, tagged with the correct ATT&CK Tactic (Defense Evasion) and a related Technique (Process Injection)
Telemetry within the rundll32.exe injection alert showing command-line arguments of rundll32.exe running update.dat (tainted by parent alert on explorer.exe)
Specific Behavior alert for rundll32.exe launching a module from a temporary folder and injecting shellcode into a victim process (tainted by parent alert on explorer.exe)
Specific Behavior-Tainted
Telemetry-Tainted
Specific Behavior-Tainted
121
Specific Behavior alert for RunDLL32 with Suspicious DLL Location and surrounding telemetry (tagged with correct ATT&CK Technique, T1085 - Rundll32 and Tactics, Defense Evasion, Execution; tainted by parent Malicious File Detection alert)
Telemetry showing rundll32.exe running update.dat execution event
Event tree view showing the Malicious File Detection alert tainting rundll32.exe telemetry
Telemetry-Tainted
Specific Behavior-Tainted
64
Telemetry showing rundll32.exe executing update.datGeneral Behavior
Specific Behavior
Telemetry
100
Excerpt from the Managed Defense Report indicating rundll32.exe was used for execution (Specific Behavior)
Enrichment of rundll32.exe execution (tagged with correct ATT&CK Technique, T1085 - Rundll32, and Tactics, Defense Evasion, Execution)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing cmd.exe executing update.dat via rundll32.exe
Process tree within trace detection showing rundll32.exe executing (tainted by a parent alert on Resume Viewer.exe)
Specific Behavior alerts based on suspicious indicators that a "Loaded non-DLL and non-CPL file with specified parameters via rundll32." The alerts were tagged with the correct ATT&CK Tactic (Defense Evasion, Execution) and Technique (Rundll32)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing rundll32.exe process injection sequence
General Behavior alert on low-reputation DLL load by signed executable
Telemetry
General Behavior-Delayed
37
Specific Behavior alerts for rundll32 tagged with the correct ATT&CK Technique (Rundll32) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing rundll32.exe executing update.dat (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Additional details of General Behavior alert for rundll32.exe executing update.dat
General Behavior alert for rundll32.exe executing update.dat, identified as a suspicious DLL and malware (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Specific Behavior-Tainted
General Behavior-Tainted
91
Telemetry showing execution of Resume Viewer.exeTelemetry
10
Telemetry from process tree showing rundll32.exe (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
System Network Connections Discovery

Discovery

(T1049)
12.E.1.12Empire: WinEnum module included enumeration of established network connectionsTelemetry from process tree showing netstat.exe with command-line arguments
Enrichment of netstat.exe with correct ATT&CK Technique (System Network Connections Discovery)
Telemetry
Enrichment
25
None
0
Telemetry from process tree showing netstat.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)Telemetry-Tainted
7
Enriched alert for netstat.exe labeled with Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)Enrichment-Tainted
Telemetry
22
Event tree showing telemetry of netstat subprocess associated with WinEnum (tainted by parent PowerShell alerts)
Interactive Shell events showing the WinEnum script and the Netstat Established Connections and Processes function (does not count as a detection due to manual process of pulling events)
Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Telemetry-Tainted
Enrichment-Tainted-Delayed
16
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
Enrichment
General Behavior-Delayed
42
Telemetry showing powershell.exe executing netstat.exe (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments
Telemetry of execution sequence showing Get-NetInfo invocation
Telemetry of execution sequence showing powershell.exe executing netstat.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (System Network Connections Discovery)Enrichment
15
Telemetry showing netstat.exe with command-line argumentsTelemetry
10
Telemetry showing netstat.exe with command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
13.B.1Empire: 'net use' via PowerShellEnrichment of net.exe with related ATT&CK Technique (Account Discovery)Enrichment
Telemetry
25
Telemetry showing net.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating net use was part of additional malicious discovery activity (General Behavior)
Telemetry from process tree showing net.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (System Network Connections Discovery) and Technique (Discovery)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery), related ATT&CK Technique (Remote System Discovery), and correct Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for Discovery via network file share enumeration (tainted by parent alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
Telemetry
General Behavior
40
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1049 -System Network Connections Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showed powershell.exe executing net.exe (tainted by parent alert on wscript.exe)Telemetry-Tainted
7
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Telemetry showing execution of net.exe with command-line arguments
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing execution of net.exe and command-line argumentsTelemetry
10
Telemetry showing execution of net.exe and command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
13.B.2Empire: 'netstat -ano' via PowerShellTelemetry showing process tree with netstat.exe and command-line arguments
Enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery)
Telemetry
Enrichment
25
Telemetry showing netstat.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Telemetry from process tree showing netstat.exe with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating netstat was part of additional malicious discovery activity (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment showing netstat.exe executing as Reconnaissance and the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent PowerShell alert)Enrichment-Tainted
Telemetry
22
Enriched event tree showing enrichment of netstat.exe with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery) (tainted by parent alert, tree is initially available unenriched to show the base telemetry)Telemetry-Tainted
Enrichment-Delayed-Tainted
16
General Behavior alert showing that a spawned process (netstat) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing netstat.exe with command-line arguments
Telemetry
General Behavior
40
Excerpt from the Managed Defense Report indicating netstat.exe was a reconnaissance command used (General Behavior)
Enrichment of netstat.exe with Netstat Execution alert (tagged with correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Enrichment of nestat.exe with the correct ATT&CK Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that the network protocol statistics were gathered
Telemetry showed powershell.exe executing netstat.exe (tainted by parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific netstat.exe instance not shown)
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing netstat.exe with command-line arguments
Telemetry showing execution of netstat.exe (tainted by parent PowerShell malicious cmdlet alert)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing powershell.exe executing netstat with command-line arguments (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
Telemetry showing execution of netstat.exe and command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
4.C.1Cobalt Strike: 'netstat -ano' via cmdTelemetry from process tree showing netstat.exe with command-line arguments
Enrichment of netstat.exe with correct ATT&CK technique (System Network Connections Discovery)
Telemetry
Enrichment
25
Telemetry showing netstat.exe with command-line arguments (tainted by the parent \"Powershell Execution Policy ByPass command ran\" alert)Telemetry-Tainted
7
OverWatch General Behavior alert indicating netstat execution by cmd.exe was suspicious
Email excerpt from the OverWatch team indicating netstat was a reconnaissance command (General Behavior)
General Behavior-Delayed
Telemetry
General Behavior-Delayed
64
Enrichment of netstat.exe executing labeled as Reconnaissance and mapped to the correct ATT&CK Technique (System Network Connections Discovery) (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing netstat with command-line arguments
Enrichment-Tainted
Telemetry
22
Additional UI view of telemetry (showing the netstat command in this instance)
Enriched event tree showing enrichment of netstat with correct ATT&CK Technique (T1049 - System Network Connections Discovery) and Tactic (Discovery)
Telemetry from event tree showing netstat with command-line arguments
Telemetry
Enrichment-Delayed
22
Enrichment of netstat.exe with a tag identifying the command as enumerationEnrichment
15
Enrichment of netstat.exe with Netstat Execution alert (tagged with the correct ATT&CK Technique, T1049 - System Network Connections Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about netstat
Excerpt from the Managed Defense Report indicating netstat was used to enumerate active and listening network ports (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Enrichment of netstat.exe with the correct Tactic (Discovery) and Technique (System Network Connections Discovery) and a suspicious indicator that network statistics and TCP/IP connections were gathered
Process tree within trace detection showing cmd.exe executing netstat.exe (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing execution sequence for netstat.exe with command-line arguments
Process tree view of prior suspicious process injection alert showing tainted powershell.exe child cmd.exe process performing this action (specific netstat.exe command not shown)
Telemetry-Tainted
7
Enrichment of netstat.exe executing with the correct ATT&CK Technique (System Network Connections Discovery)
Telemetry showing cmd.exe executing netstat with command-line arguments
Telemetry
Enrichment
25
Telemetry showing netstat.exe with command-line argumentsTelemetry
10
Telemetry showing netstat.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Bypass User Account Control

Defense Evasion, Privilege Escalation

(T1088)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to elevate process integrity levelNone
0
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)
Alert for PowerShell process creation (does not count as a detection)
None
0
Telemetry showing process integrity level change for Debbie from 8192 (0x2000/Medium) to 12288 (0x3000/High)Telemetry
10
Telemetry showing powershell.exe running as high integrity as user Debbie (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe running as medium integrity as user Debbie
Telemetry-Tainted
7
Telemetry showing authentication (logon) ID mismatch between parent and child processesTelemetry
10
Enrichment of an unelevated svchost.exe spawning an elevated powershell.exe process with a tag indicating a possible UAC Bypass.Enrichment
15
Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0xfcf5fd
Telemetry showing group membership of token logon ID 0xfcf5fd, associated with user Debbie, which includes S-1-16-12288 (High Mandatory Level)
Telemetry-Configuration Change
7
Specific Behavior alert for a possible UAC bypass, tagged with the correct ATT&CK Technique (Bypass User Account Control) and Tactics (Defense Evasion, Privilege Escalation)Specific Behavior
60
Telemetry showing powershell.exe running as high integrity as SYSTEM
Telemetry showing rundll32.exe running as medium integrity as user Debbie
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe
Telemetry-Tainted
7
Telemetry showing process integrity level change from parent rundll32.exe (medium) to child powershell.exe (high), both running as user DebbieTelemetry
10
Alert for powershell.exe execution with encoded command-line arguments (does not count as a detection)None
0
Telemetry
10
14.A.1Empire: Built-in UAC bypass token duplication module executed to launch new callback with elevated process integrity levelNone
0
Alert for encoded PowerShell (does not count as a detection)None
0
Telemetry showing the Invoke-BypassUACTokenManipulation function
Email excerpt from the OverWatch team indicating obfuscated PowerShell invoked UAC bypass (Specific Behavior)
Telemetry showing integrity level change through query for powershell.exe processes of high integrity (12288/0x3000) that were created by medium integrity processes (8192/0x2000)
Telemetry
Specific Behavior-Delayed
67
Telemetry showing powershell.exe executing with medium process integrity (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe executing with high process integrity (tainted by a parent PowerShell alert)
Parent alert generated for malicious use of PowerShell
Telemetry-Tainted
7
Telemetry showing authentication (logon) ID mismatch between parent and child processes
Telemetry showing svhost.exe seclogon event for token login id 0x9b6855 (10184789), used by the spawned powershell.exe
Telemetry
10
Telemetry showing an elevated PowerShell being spawned under the context of user Bob from an unelevated parent process
General Behavior alert for a possible PowerShell privilege escalation based on the elevation of a child process from a non-elevated parent
General Behavior
Telemetry
40
Telemetry showing execution of powershell.exe running as SYSTEM with token login ID 0x10530b3
Telemetry showing group membership of token logon ID 0x10530b3 associated with user Bob, which includes S-1-16-12288 (High Mandatory Level)
Telemetry-Configuration Change
7
Specific Behavior alert for a possible UAC bypass.
Telemetry showing an integrity level change for powershell.exe
Telemetry
Specific Behavior
70
Parent alert for \"Suspicious sequence of exploration activities\" showing powershell.exe process tainting this event
Telemetry showing medium integrity powershell.exe process executing Invoke-BypassUACTokenManipulation as user Bob
Telemetry showing high integrity powershell.exe process as Bob
Telemetry showing high integrity powershell.exe process as SYSTEM
Telemetry-Tainted
7
Telemetry showing powershell.exe running as high integrity level (12288)
Indicator of Compromise alert identifying a PowerShell Empire script performing the bypass UAC attack.
Telemetry showing powershell.exe running as medium integrity level (8192)
Telemetry
Indicator of Compromise
30
None
0
Telemetry showing process integrity level change from medium to high (tainted by relationship to threat story but Group ID not shown in this view)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Process Discovery

Discovery

(T1057)
2.C.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)Enrichment-Tainted
12
None
0
None
0
2.C.2 Cobalt Strike: 'tasklist /v' via cmdTelemetry from process tree showing tasklist.exe with command-line arguments
Enrichment of tasklist.exe with correct ATT&CK Technique (T1057 - Process Discovery)
Telemetry
Enrichment
25
Telemetry showing tasklist.exe with command-line arguments (tainted by the parent Script File Created alert)Telemetry-Tainted
7
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (tasklist not specifically shown)
Email excerpt from the OverWatch team indicating tasklist was a reconnaissance command (General Behavior)
Telemetry showing tasklist with command-line arguments
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing tasklist.exe executing within the process tree (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing tasklist with command-line arguments
Telemetry-Tainted
7
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Telemetry showing tasklist.exe with command-line arguments (tainted by parent Malicious File Detection)
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry-Tainted
General Behavior-Configuration Change-Delayed-Tainted
28
General Behavior alert showing that a spawned process (cmd.exe running tasklist) has been tagged for monitoring because its parent process has a detection (cmd.exe)
General Behavior alert for rundll32.exe launching cmd.exe (executing tasklist)
Telemetry showing tasklist.exe with command-line arguments
General Behavior
Telemetry
General Behavior
70
Enrichment of tasklist.exe with Tasklist Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating tasklist was used to enumerate current running processes (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about tasklist
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing tasklist.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of tasklist.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (System Service Discovery) and a suspicious indicator that the process discovered running Windows services and/or processes
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing tasklist.exe
Telemetry showing execution sequence for tasklist.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Telemetry
General Behavior-Delayed
37
Enrichment of the execution of tasklist.exe as the enumeration of running processes via the command line (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of tasklist.exe executing with a related ATT&CK Technique (System Information Discovery)
Telemetry showing cmd.exe executing tasklist with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment
Enrichment-Tainted
34
Telemetry showing tasklist.exe with command-line arguments
Additional telemetry showing tasklist.exe with command-line arguments
Telemetry
10
Telemetry showing tasklist.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
3.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)Enrichment-Tainted
12
None
0
None
0
8.B.1Cobalt Strike: 'ps' (Process status) via Win32 APIsNone
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
Enrichment of the execution of a specific API call as process enumeration and suspicious activity (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)Enrichment-Tainted
12
None
0
None
0
12.C.1Empire: 'qprocess *' via PowerShellTelemetry from process tree showing qprocess.exe with command-line arguments
Enrichment of qprocess.exe with correct ATT&CK Technique (Process Discovery)
Telemetry
Enrichment
25
Telemetry showing qprocess.exe with command-line arguments (tainted by parent Script File Created alert)Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating qprocess was part of basic reconnaissance activity (General Behavior)
OverWatch General Behavior alert and telemetry indicating qprocess.exe with command-line arguments was suspicious (tainted from previous powershell.exe detection by red line indicating high severity)
General Behavior-Delayed-Tainted
Telemetry
General Behavior-Delayed
61
Enrichment of qprocess.exe executing with correct ATT&CK Technique (Process Discovery) and Tactic (Discovery) (tainted by a parent PowerShell alert)
Enrichment of qprocess.exe executing with labels for Reconnaissance and Local process discovery
Enrichment-Tainted
Telemetry
22
Event tree view of telemetry showing qprocess.exe with command-line arguments (tainted by parent PowerShell alerts)Telemetry-Tainted
7
Telemetry showing powershell.exe executing qprocess.exe with command-line arguments
Enrichment of qprocess.exe as listing running processes and possibly a sign of reconnaissance
General Behavior alert showing that a spawned process (qprocess) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Enrichment
Telemetry
General Behavior
55
Enrichment of qprocess.exe with Qprocess Execution alert (tagged with correct ATT&CK Technique, T1057 - Process Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating qprocess.exe was a reconnaissance command used (General Behavior)
Enrichment
General Behavior-Delayed
42
Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that software running on a system was queried
Telemetry showing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of qprocess.exe with the correct ATT&CK Tactic (Discovery) and a related Technique (Process Discovery) and a suspicious indicator that QPROCESS was used to check active processes
Telemetry-Tainted
Enrichment
Enrichment
37
Telemetry showing execution sequence of powershell.exe executing qprocess.exe with command-line arguments
Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process
Process tree view of powershell.exe with malicious cmdlets alert showing tainted powershell.exe process
Telemetry-Tainted
7
Enrichment of execution of qprocess.exe as the enumeration of running processes via the command line (tainted by a parent alert on wscript.exe)
Enrichment of qprocess.exe executing with a related ATT&CK Technique (System Service Discovery)
Telemetry showing powershell.exe executing qprocess.exe with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing qprocess.exe with command-line argumentsTelemetry
10
Telemetry showing qprocess.exe with command-line arguments (tainted Group ID not shown but was the search parameter)
Threat story showing initial compromise alert and powershell.exe tainting qprocess.exe
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Data Encrypted

Exfiltration

(T1022)
19.B.1Empire: Executed binary (recycler.exe) created encrypted archive (old.rar) of previously collected fileTelemetry showing recycler.exe and command-line arguments with encryption password
Enrichment of recycler.exe with correct ATT&CK Technique (1022 - Data Encrypted)
Telemetry
Enrichment
25
Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)
Enrichment-Tainted-Configuration Change
Telemetry-Tainted
16
Specific Behavior alert showing use of -hp flags within command-line (mapped to related ATT&CK Technique, Data Compressed, and correct Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
Specific Behavior-Tainted
Telemetry
Specific Behavior-Delayed
124
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with correct ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing recycler.exe execution
Telemetry
General Behavior
40
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1022 - Data Encrypted)
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for Execution from Suspicious Directory
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with a related ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
General Behavior
Enrichment
Enrichment
General Behavior
Enrichment
Specific Behavior-Delayed
162
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Telemetry-Tainted
7
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line argumentsTelemetry
10
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
Telemetry showing the execution of recycler.exe
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Input Capture

collection, Credential Access

(T1056)
8.C.1Cobalt Strike: Built-in keylogging capability executed to capture keystrokes of user DebbieNone
0
Command-Line Interface view for host Nimda kicking off DDNA Scan for PID 11252 (does not count as a detection)
DDNA JSON output from PID 11252 showing process capabilities (does not count as a detection)
Telemetry showing remote thread being created into explorer.exe (does not count as a detection)
None
0
Telemetry showing injected thread events (explorer.exe, pid=21776848613, injecting from cmd.exe, pid=21898821890) (does not count as a detection)None
0
Alert for Chain of Injections for powershell.exe injecting into cmd.exe (does not count as detection)
Alert showing loaded keyloggerx64.dll module (does not count as detection)
Alert showing keyloggerx64.dll module loaded into explorer.exe, including memory address and size (does not count as a detection)
Alert for Chain of Injections showing powershell.exe injecting into explorer.exe (does not count as detection)
None
0
Event tree showing a Process Injection alert from which strings were pulled (does not count as a detection)
Strings output extracted from Process Injection alert, showing key definitions typically associated with a keylogger, but no evidence of execution (does not count as a detection)
None
0
None
0
None
0
Alert that cmd.exe obtained a handle to the memory thread and injected code into explorer.exe (does not count as detection)None
0
Telemetry showing explorer.exe reading user keystrokes
Specific Behavior alert for \"Possible keylogging activity\" against explorer.exe
Execution sequence showing cmd.exe injecting into explorer.exe (does not count as a detection)
Telemetry-Configuration Change
Specific Behavior-Delayed
64
Telemetry showing code injection into explorer.exe (does not count as a detection)
Telemetry showing hook injection from explorer.exe (does not count as a detection)
Enrichment of the execution of a specific API call as keylogging and suspicious activity
Enrichment
15
Floating Code module output showing keylogger key definitions (does not count as a detection)
Floating Code module output showing keylogger aggressor script (does not count as a detection)
None
0
Telemetry showing GetAsyncKeyStateApi (Group ID tainted the event but was not shown in this view)
Telemetry showing process injection into explorer.exe (does not count as a detection)
Telemetry-Tainted
7
15.A.1Empire: Built-in keylogging module executed to capture keystrokes of user BobTelemetry showing modloads associated with keylogger
Enrichment of data with tag \"PowerShell Input Capture -keylogger\"
Telemetry
Enrichment
25
None
0
Excerpt from email sent by OverWatch team indicating IT_tasks.txt was retrieved as a file of interest (General Behavior)
Telemetry showing FsPostOpen event for IT_tasks.txt
Telemetry showing file read event for IT_tasks.txt
Telemetry
General Behavior-Delayed
37
Indicator of Compromise alert for Malicious Command Get-Keystrokes
Telemetry showing modloads associated with a keylogger
Indicator of Compromise
Telemetry
30
Telemetry showing PowerShell Script Block logging with execution of Get-KeyStrokes (does not count as a detection)None
0
Telemetry showing powershell.exe executing the GetAsyncKeyState method
Enrichment of powershell.exe with a tag indicating .NET keylogging
Telemetry
Enrichment
25
PowerShell activity during the time of the keylogging (does not count as detection)None
0
None
0
Telemetry showing execution of Get-Keystrokes cmdlet
Telemetry showing keylogger events
Specific Behavior alert for keylogging activity from powershell.exe
Parent alert showing process tree view showing tainted relationship (specific instance of this technique not shown in the alert)
Telemetry-Tainted
Specific Behavior-Delayed
64
Indicator of Compromise alert identifying a PowerShell Empire script logging keys pressed, time, and the active window
Enrichment of the execution of a specific API call as keylogging and suspicious activity
Enrichment
Indicator of Compromise
35
None
0
Enrichment of use of GetAsyncKeyStateApi tagged as a keylogger (tainted by relationship to threat story but Group ID not shown in this view)Enrichment-Tainted
12
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Multiband Communication

Command and Control

(T1026)
6.B.1Cobalt Strike: C2 channel modified to split communications between both HTTP and DNSTelemetry showing network connection over UDP port 53
Telemetry showing network connection over TCP port 80
Telemetry
10
Telemetry showing DNS queries to freegoogleadsenseinfo.com (C2 domain) from svchost.exe
Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by the parent \"Sponsor Process Established Network Connection\" alert)
Telemetry-Tainted
7
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)
Telemetry within an alert showing abnormally large DNS requests occurred (tainted by parent Exfiltration alert)
Telemetry-Tainted
7
Telemetry showing the same rundll32.exe opening a connection over port 80 while making DNS queries to freegoogleadsenseinfo.com (C2 domain) (tainted by a parent Injected Shellcode alert, listed as Owner process)Telemetry-Tainted
7
Telemetry showing DNS connections
Telemetry showing port 80 traffic (tainted by parent Malicious File Detection alert)
Telemetry-Tainted
7
Telemetry showing rundll32.exe making DNS queries
Telemetry showing rundll32.exe making network connections over port 80 to 192.168.0.4 (C2 server)
Telemetry
10
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) in addition to the ongoing DNS C2 (Specific Behavior)
Telemetry showing DNS requests (field name dnsLookupEvents/Generated) and HTTP requests (field name urlMonitorEvents/Generated)
Telemetry
Specific Behavior-Delayed
67
None
0
Telemetry showing execution sequence for rundll32.exe opening port 80 network connection
Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection
Telemetry showing DNS traffic to C2 domain
Telemetry-Tainted
7
Telemetry showing ports 80 and 53 command and control trafficTelemetry
10
None
0
Telemetry showing port 80 connection to 192.168.0.4 (C2 server)
Telemetry showing DNS query to C2 domain (tainted by relationship to threat story shown in Group ID)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Windows Admin Shares

Lateral Movement

(T1077)
16.B.1Empire: Successful authentication targeted Windows admin share on Conficker (10.0.0.5) Telemetry showing process tree with five different net.exe logon attempts targeting ADMIN$
Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
Telemetry
Specific Behavior
70
Telemetry showing explorer.exe writing \\\\conficker\\PIPE\\srvsvc (tainted by the parent \"FileExts Registry Key modified\" alert)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)
Telemetry-Tainted
7
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
OverWatch General Behavior alert indicating successful net use connection to ADMIN$ was suspicious (would be tainted by previous powershell.exe detection by orange line indicating medium severity in process tree view that is not shown)
Telemetry from process tree showing successful net use connection to ADMIN$ (tainted by previous powershell.exe detection by red line indicating high severity. The vendor noted the process tree view and severities change as detections occur.)
Telemetry-Tainted
General Behavior-Delayed-Tainted
General Behavior-Delayed
58
Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)Specific Behavior-Tainted
Telemetry
67
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt (tainted by parent PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
Specific Behavior alerts for net.exe connecting to a remote administrative share
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing a net use logon attempt to ADMIN$ shares
Telemetry
Specific Behavior
General Behavior
100
Enrichment of net.exe logon attempt to ADMIN$ with Net Use Command Execution alert (tagged with the correct ATT&CK Technique, 1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Excerpt from the Managed Defense Report indicating the attacker accessed Conficker by mounting the ADMIN$ share (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing a logon attempt via net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for the net utility executed to authenticate to a remote admin share with valid accounts, tagged with the correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares)
Telemetry-Tainted
Specific Behavior
67
Specific Behavior alert for brute force attempt to remote SMB shares
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
Specific Behavior-Delayed
64
Telemetry showing a net.exe logon attempt to ADMIN$ on 10.0.0.5 (Conficker) as local user Kmitnick (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing logon attempt targeting ADMIN$ via net.exe and command-line argumentsTelemetry
10
Telemetry showing a net.exe logon attempt targeting ADMIN$ (tainted by relationship to threat story)
Telemetry showing net.exe logon attempts and corresponding exit codes
Telemetry-Tainted
7
16.D.1Empire: Successful authentication targeted Windows admin shares on Conficker (10.0.0.5)Specific Behavior alerts for a successful logon mapped to the correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement)
Telemetry showing process tree with successful net.exe logon targeting C$
Telemetry
Specific Behavior
70
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by the parent \"Powershell executed remote commands\" alert)Telemetry-Tainted
7
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
Telemetry showing process tree containing successful net use connection to C$ (tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing alert net.exe execution (tainted by a parent PowerShell alert)
Specific Behavior alert of net.exe execution with correct ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Specific Behavior-Tainted
Telemetry
67
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for Mounting Hidden Shares for the successful net.exe connection attempt tagged with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing net.exe with command-line arguments
Telemetry
General Behavior
40
Excerpt from the Managed Defense Report indicating the attacker mounting the C$ on creeper with the kmitnick account (Specific Behavior)
Enrichment of net1.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique, T1077 - Windows Admin Shares, and Tactic, Lateral Movement)
Enrichment
Specific Behavior-Delayed
72
Specific Behavior alert for the net utility removing a shared connection via PowerShell, mapped to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal)
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)
Telemetry-Tainted
Specific Behavior
67
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing net.exe logon attempt to C$ on 10.0.0.4 (Creeper) with valid credentials for the account Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry-Tainted
7
Telemetry showing a net.exe logon attempt to C$ on 10.0.0.4 (Creeper) using valid credentials for user Kmitnick (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing logon attempt targeting C$ via net.exe and command-line argumentsTelemetry
10
Telemetry showing a net.exe logon attempt targeting C$ (tainted by relationship to threat story)Telemetry-Tainted
7
16.A.1Empire: Brute force password spraying attempts targeted Windows admin shares on Morris (10.0.1.4) and Nimda (10.0.1.6)Specific Behavior alerts for of the 4 different net.exe logon attempts
Telemetry showing process tree with four different net.exe logon attempts targeting ADMIN$
Telemetry
Specific Behavior
70
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Bob (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Frieda (enriched with condition \"Net User Reconnaissance Command\", tainted by the parent \"Powershell executed encoded commands\" alert)
Enrichment-Tainted
12
Telemetry showing net use logon attempts to ADMIN$ shares
Excerpt from email sent by OverWatch team indicating Bob attempted to move laterally to access network resources (General Behavior)
Process tree view of OverWatch General Behavior alerts indicating net.exe commands were suspicious (net.exe command details not specifically shown, tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry
General Behavior-Delayed-Tainted
General Behavior-Delayed
61
Enrichment of net.exe execution showing logon attempts for the user Bob with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Frieda with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution showing logon attempts for the user Kmitnick with related ATT&CK Technique (Windows Admin Shares) and Tactic (Lateral Movement) (tainted by a parent PowerShell alert)
Enrichment of net.exe execution with related ATT&CK Tactic (Lateral Movement) and Technique (Windows Admin Shares) (tainted by a parent PowerShell alert)
Specific Behavior-Tainted
Telemetry
67
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1077 - Windows Admin Shares) and Tactic (Lateral Movement) (tainted by parent PowerShell alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for Mounting Hidden Shares, associated with each net.exe connection attempt (tainted by parent PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
Specific Behavior alerts for net.exe connecting to a remote administrative share
Telemetry showing net use logon attempts to ADMIN$ shares
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry
Specific Behavior
General Behavior
100
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Bob
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Frieda
Enrichment of net.exe with Net Use Command Execution alert (tagged with correct ATT&CK Technique T1077 - Windows Admin Shares, and Tactic, Lateral Movement) for user Kmitnick
Enrichment
15
Telemetry showing powershell.exe executing repeated logon attempts targeting ADMIN$ via net.exe (tainted by a parent alert on powershell.exe)Telemetry-Tainted
7
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) with user Kmitnick (tainted by parent alert on PowerShell script with suspicious content)
Specific Behavior alert for brute force attempt to remote SMB shares
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Execution sequence showing net.exe logon failure to Morris due to WebDAV fallback authentication attempt over port 80 to the C2 server
Telemetry-Tainted
Specific Behavior-Delayed
64
Specific Behavior alert for a net.exe logon attempt to ADMIN$ tagged with the correct ATT&CK Technique (Windows Admin Shares)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.4 (Morris) as local user Kmitnick (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Frieda (tainted by a parent alert on wscript.exe)
Telemetry showing net.exe logon attempt to ADMIN$ on 10.0.1.6 (Nimda) as domain user Bob (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing logon attempts targeting ADMIN$ via net.exe and command-line argumentsTelemetry
10
Telemetry showing net.exe logon attempts targeting ADMIN$ and corresponding exit codes
Telemetry showing net.exe logon attempts targeting ADMIN$ (tainted by relationship to threat story)
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Clipboard Data

collection

(T1115)
12.E.1.5Empire: WinEnum module included enumeration of clipboard contentsNone
0
None
0
OverWatch alert indicating encoded PowerShell was suspicious (does not count as a detection)
Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)
Telemetry showing encoded PowerShell, which decodes to show Windows.Clipboard details (does not count as a detection)
None
0
Telemetry of the PowerShell function to gather clipboard data (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Interactive Shell events showing the WinEnum script and Clipboard Contents function (does not count as part of detection due to manual process of pulling events)
Telemetry showing decoded PowerShell displaying Windows.Clipboard as part of WinEnum. The PowerShell process was tainted by parent PowerShell alerts.
Telemetry-Tainted
7
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell function
Indicator of Compromise alert for PowerShell Empire accessing the clipboard.
Telemetry
Indicator of Compromise
30
Excerpt from the Managed Defense Report indicating the attacker executed the Windows Clipboard capability of Empire (Indicator of Compromise)
Decoding (outside the capability) of encoded PowerShell command to show Windows.Clipboard details (does not count as a detection)
PowerShell Execution alert containing encoded PowerShell command (does not count as a detection)
Indicator of Compromise-Delayed
17
Telemetry showing execution of an encoded PowerShell command (does not count as a detection)None
0
None
0
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Clipboard Data)Enrichment
15
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
New Service

Persistence, Privilege Escalation

(T1050)
16.I.1Empire: 'sc create' via PowerShell to remotely create a service on Creeper (10.0.0.4)Specific Behavior alert on sc.exe executing to create the AdobeUpdater service mapped to ATT&CK
Telemetry from process tree showing sc.exe execution creating the AdobeUpdater service
Telemetry
Specific Behavior
70
Telemetry showing powershell.exe executing sc.exe to create the AdobeUpdater service on Creeper and set its description (tainted by the parent \"Powershell executed remote commands\" alert)
Specific Behavior alert for \"\"New Windows service created\"\" and additional alert for \"Windows Service Registry Key modified\"
Telemetry-Tainted
Specific Behavior-Configuration Change
64
Telemetry from process tree showing sc.exe execution to create the AdobeUpdater service (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed a newly created file (AdobeUpdater service in registry) to establish persistence (General Behavior)
Telemetry showing AdobeUpdater service details with binPath pointed to cmd.exe with arguments and service description
Telemetry-Tainted
General Behavior-Delayed
34
Specific Behavior alert for unconventional new service with correct ATT&CK Technique (New Service) and Tactics (Persistence, Privilege Escalation) (tainted by a parent PowerShell alert)Specific Behavior-Tainted
Telemetry
67
Enriched event tree showing enrichment of sc.exe execution with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence) (tainted by parent PowerShell with Unusual Arguments and PowerShell Network alerts, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for new service AdobeUpdater creation on Creeper tagged with correct ATT&CK Technique (T1050 - New Service) and Tactic (Persistence)
Telemetry-Tainted
Enrichment-Delayed-Tainted
Specific Behavior
76
General Behavior alert showing that a spawned process (sc) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing sc.exe with command-line arguments
Specific Behavior alert for sc.exe used with parameters typical for lateral movement
Telemetry
Specific Behavior
General Behavior
100
Excerpt from the Managed Defense Report indicating sc.exe was used to create a new service (Specific Behavior)
Additional details on enrichment of sc.exe with SC Execution alert
Enrichment of sc.exe with an alert for SC Execution (Weak Signal) (tagged with correct ATT&CK Technique, T1050 - New Service, and Tactic, Discovery)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing powershell.exe executing sc.exe (tainted by a trace detection on cmd.exe)
Telemetry showing that a new service was added
Enrichment of net.exe with a relevant ATT&CK Tactic (Discovery) and Technique (System Service Discovery) and a suspicious indicator that Windows service was manipulated via sc.exe/net.exe tool
Telemetry-Tainted
Enrichment
22
Specific Behavior alert on suspicious service registration on Creeper
Telemetry showing AdobeUpdater service registry information that was changed on Creeper
Telemetry from CodeRed showing execution sequence of sc.exe AdobeUpdater remote service creation
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
Specific Behavior
67
Enrichment of sc.exe executing with the correct ATT&CK Technique (New Service)
Telemetry showing execution of sc.exe to create a new AdobeUpdater service (tainted by a parent alert on wscript.exe)
Telemetry showing the creation of Registry keys associated with the AdobeUpdater service
Specific Behavior alert for a new service created via the command line (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Specific Behavior-Tainted
Enrichment
79
Telemetry showing execution of sc.exe to create the AdobeUpdater serviceTelemetry
10
Telemetry showing execution of sc.exe to create the AdobeUpdater service (tainted by prior threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Permission Groups Discovery

Discovery

(T1069)
12.E.1.2Empire: WinEnum module included enumeration of AD group membershipsNone
0
Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper) (does not count as a detection)None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the AD Group Memberships function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
Telemetry showing loading of System.DirectoryServices.AccountManagement assembly (does not count as a detection)None
0
None
0
None
0
None
0
None
0
None
0
12.F.1Empire: 'net group "Domain Admins" /domain' via PowerShellTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Net Domain Admins Reconnaissance Command and Net Group Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net group was part of additional malicious discovery activity (General Behavior)
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted from previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Delayed
46
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry)
Enrichment on net group by Enumeration of Administrator Accounts alert (mapped to correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic (Discovery)
Telemetry-Tainted
Enrichment-Tainted-Delayed
Enrichment-Tainted
28
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
General Behavior
Telemetry
40
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of domain admins
Telemetry-Tainted
Enrichment
Enrichment
37
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of the execution of net.exe and net1.exe as an enumeration command (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)
Telemetry-Tainted
Enrichment-Tainted
Enrichment-Tainted
Enrichment
46
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
12.F.2Empire: 'net localgroup administrators' via PowerShellEnrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery)
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Telemetry from process tree showing net.exe with command-line arguments (tainted from previous powershell.exe detection by red line indicating high severity)
Email excerpt from the OverWatch team indicating net localgroup was part of additional malicious discovery activity (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Process tree showing alerted net.exe executing with command-line arguments (tainted by a parent PowerShell alert)
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
General Behavior-Tainted
Telemetry
37
Enriched event tree showing enrichment of net.exe with correct ATT&CK Technique (T1069 - Permission Groups Discovery) and Tactic (Discovery) (tainted by parent PowerShell alerts, tree is initially available unenriched to show the base telemetry). The tree also shows Enumeration of Administrator Accounts alert.Telemetry-Tainted
Enrichment-Tainted-Delayed
Enrichment-Tainted
28
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
General Behavior
Telemetry
40
Excerpt from the Managed Defense Report indicating net.exe was a reconnaissance command used (General Behavior)
Enrichment of net.exe with command-line arguments (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Enrichment
General Behavior-Delayed
42
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on wscript.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and Technique (Permissions Group Discovery) and a suspicious indicator that the net utility was used to obtain information of user groups
Telemetry-Tainted
Enrichment
22
Process tree view of General Behavior alert on \"Suspicious sequence of exploration activities\" showing net.exe with command-line arguments
Telemetry of execution sequence showing powershell.exe executing net.exe with command-line arguments
Process tree view of PowerShell script with malicious cmdlets alert showing tainted powershell.exe process (specific net.exe instance not shown)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Enrichment of the execution of net.exe and net1.exe as the possible enumeration of administrator groups (tainted by a parent alert on wscript.exe)
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Permission Groups Discovery)
Telemetry-Tainted
Enrichment-Tainted
Enrichment
34
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.F.1Cobalt Strike: 'net localgroup administrators' via cmdEnrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
Enrichment of net.exe with tag Administrator Enumeration
Telemetry from process tree showing net.exe with command-line arguments
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)
OverWatch General Behavior alert for net localgroup
Telemetry showing net with command-line arguments
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
General Behavior-Delayed
61
Telemetry showing cmd.exe executing net with command-line arguments
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)
Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Telemetry
Enrichment-Tainted
22
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Configuration Change-Delayed-Tainted
40
Telemetry showing net.exe with command-line arguments
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Enrichment of net.exe indicating it is commonly used for reconnaissance
General Behavior
Enrichment
Telemetry
General Behavior
85
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained
Telemetry-Tainted
Enrichment
22
General Behavior alert on suspicious sequence of exploration activities
Telemetry showing execution sequence for net.exe with command-line arguments
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)Enrichment
15
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.F.3Cobalt Strike: 'net group "Domain Admins" /domain' via cmdTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
Enrichment of net.exe with tag Administrator Enumeration
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Enrichment of net.exe with related ATT&CK Technique (Account Discovery) and correct Tactic (Discovery) (tainted by orange line for medium severity from previous detection)
Process tree showing all cmd.exe children under rundll32.exe (including net group) as tainted by orange line for medium severity
Telemetry showing net with command-line arguments
Email excerpt from the OverWatch team indicating net group was a reconnaissance command (General Behavior)
Enrichment-Tainted
Telemetry-Tainted
General Behavior-Delayed
46
General Behavior alert for net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Process tree showing alerted net.exe executing (tainted by a parent Injected Shellcode alert)
Telemetry showing cmd.exe executing net with command-line arguments
Telemetry
General Behavior-Tainted
37
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Configuration Change-Delayed-Tainted
40
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (rundll32.exe)
Enrichment
Telemetry
General Behavior
55
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report indicating the attacker enumerated the Domain Administrators group (Specific Behavior)
Excerpt from the Managed Defense Report with additional details about net
Enrichment
Specific Behavior-Delayed
72
Enrichment of net group with a correct ATT&CK Tactic (Discovery) and Technique (Permission Group Discovery) and a suspicious indicator that a net utility was used to gather information of user groups
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing domain admins group discovery by Nimda at the domain controller
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry showing execution sequence for net.exe with command-line arguments
General Behavior alert on suspicious sequence of exploration activities
Telemetry
General Behavior-Delayed
37
Enrichment of the execution of net1.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command using net or net1 (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the execution of an enumeration command (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Enrichment of the execution of net.exe as the possible enumeration of administrator groups (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing cmd.exe executing net with command-line arguments (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment-Tainted
Enrichment-Tainted
31
Event enrichment from IIOC module \"Enumerates domain administrators\"
Telemetry showing net.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
2.F.2Cobalt Strike: 'net localgroup administrators /domain' via cmdTelemetry from process tree showing net.exe with command-line arguments
Enrichment of net.exe with tag Administrator Enumeration
Enrichment of net.exe with correct ATT&CK Technique (Permission Groups Discovery)
Telemetry
Enrichment
25
Enrichment of net.exe with conditions Net Group Reconnaissance Command and Net LocalGroup Reconnaissance Command (tainted by the parent Script File Created alert)Enrichment-Tainted-Configuration Change
9
Process tree showing all cmd.exe children under rundll32.exe as tainted by orange line for medium severity (net localgroup not specifically shown)
Telemetry showing net with command-line arguments
Email excerpt from the OverWatch team indicating net localgroup was a reconnaissance command (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing cmd.exe executing net with command-line arguments
Process tree showing enriched net.exe executing (tainted by a parent Injected Shellcode alert)
Enrichment of net.exe executing with the correct ATT&CK Tactic (Permission Groups Discovery) and Technique (Discovery)
Telemetry
Enrichment-Tainted
22
General Behavior alerts for Enumeration Command Sequences that triggered for specified number of commands in specified time period
Telemetry showing net.exe with command-line arguments (tainted by parent Malicious File Detection)
Enrichment of net.exe execution with command-line arguments with Enumeration of Administrator Accounts alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery; tainted by parent Malicious File Detection)
Detail of one Enumeration Command Sequences alert (tainted by parent Malicious File Detection)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Configuration Change-Delayed-Tainted
40
General Behavior alert for rundll32.exe launching cmd.exe (executing net)
Enrichment of net.exe indicating it is commonly used for reconnaissance
Telemetry showing net.exe with command-line arguments
General Behavior alert showing that a spawned process (cmd.exe running net) has been tagged for monitoring because its parent process has a detection (cmd.exe)
General Behavior
Enrichment
Telemetry
General Behavior
85
Excerpt from the Managed Defense Report indicating the attacker enumerated members of the local administrators group (Specific Behavior)
Enrichment of net.exe with Net Group Command Execution alert (tagged with correct ATT&CK Technique, T1069 - Permission Groups Discovery, and Tactic, Discovery)
Excerpt from the Managed Defense Report with additional details about net
Enrichment
Specific Behavior-Delayed
72
Process tree within trace detection containing cmd.exe executing the net.exe (tainted by a parent alert on Resume Viewer.exe)
Enrichment of net.exe with the correct ATT&CK Tactic (Discovery) and a suspicious indicator that information of users/groups was obtained
Telemetry-Tainted
Enrichment
22
General Behavior alert on suspicious sequence of exploration activities
Process tree view of General Behavior alert on suspicious sequence of exploration activities showing net.exe with command-line arguments
Telemetry showing execution sequence for net.exe with command-line arguments
Telemetry
General Behavior-Delayed
37
Enrichment of net.exe executing with the correct ATT&CK Technique (Permission Groups Discovery)Enrichment
15
Telemetry showing net.exe with command-line argumentsTelemetry
10
Telemetry showing net.exe with command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Network Share Connection Removal

Defense Evasion

(T1126)
16.C.1Empire: 'net use /delete' via PowerShellTelemetry showing process tree with net.exe and command-line arguments
Specific Behavior alerts for removing connected network share
Telemetry
Specific Behavior
70
Telemetry showing net.exe and command-line arguments (tainted by the parent \"Powershell executed remote commands\" alert)Telemetry-Tainted
7
Excerpt from email sent by OverWatch team indicating they observed ADMIN$ artifact removed (General Behavior)
Telemetry from process tree showing net.exe executing with command-line arguments (tainted by previous powershell.exe detection by red line indicating high severity)
Telemetry-Tainted
General Behavior-Delayed
34
General Behavior alert for net.exe conducting suspicious activity (tainted by a parent PowerShell alert)General Behavior-Tainted
Telemetry
37
Telemetry showing event tree containing net.exe and command-line argument (tainted by parent PowerShell alert)Telemetry-Tainted
7
General Behavior alert showing that a spawned process (net) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing powershell.exe executing net.exe with command-line arguments
Telemetry
General Behavior
40
Telemetry showed net.exe executing with command-line arguments.
Excerpt from the Managed Defense Report indicating the attacker unmounted the share from CodeRed (Specific Behavior)
Telemetry
Specific Behavior-Delayed
67
Telemetry showing powershell.exe executing net.exe (tainted by a parent alert on powershell.exe)
Specific Behavior alert for the net utility removing a shared connection via PowerShell, tagged to the correct ATT&CK Tactic (Defense Evasion) and Technique (Network Share Connection Removal)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing net.exe with command-line arguments (tainted by parent alert on PowerShell script with suspicious content)
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry-Tainted
7
Enrichment of net.exe executing with command-line arguments with the correct ATT&CK Technique (Network Share Connection Removal)
Telemetry showing powershell.exe executing net with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing net.exe execution and command-line argumentsTelemetry
10
Telemetry showing net.exe and command-line arguments (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
File Deletion

Defense Evasion

(T1107)
19.D.1Empire: 'del C:\"$"Recycle.bin\old.rar'Telemetry showing filemod (file modification) deletion of old.rarTelemetry
10
Telemetry showing powershell.exe deleting old.rar (tainted by the parent \"PowerShell executed encoded commands\" alert)Telemetry-Tainted
7
Email excerpt sent by OverWatch team indicating they observed old.rar being deleted (Specific Behavior)
Telemetry showing deletion of old.rar
Telemetry
Specific Behavior-Delayed
67
Telemetry showing a deletion event for old.rar via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
None
0
Telemetry showing the deletion of old.rarTelemetry
10
None
0
None
0
Telemetry showing PowerShell executing the Remove-Item cmdlet (does not count as a detection)None
0
Telemetry showing the file delete event for old.rar (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Master file table on 10.0.1.5 (CodeRed) shows old.rar listed under deleted files (does not count as a detection)None
0
Telemetry exported from threat story showing the deletion of old.rar was tainted by prior activity because it was under the same Group IDTelemetry-Tainted
7
19.D.2Empire: 'del recycler.exe'Telemetry showing filemod (file modification) deletion of recycler.exeTelemetry
10
Telemetry showing powershell.exe deleting recycler.exe (tainted by the parent \"PowerShell executed encoded commands\" alert)Telemetry-Tainted
7
Email excerpt sent by OverWatch team indicating they observed recycler.exe being deleted (Specific Behavior)
Telemetry showing deletion of recycler.exe
Telemetry
Specific Behavior-Delayed
67
Telemetry showing a deletion event for recycler.exe via powershell.exe (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Telemetry showing file deletion of recycler.exeTelemetry
10
Telemetry showing the deletion of recycler.exeTelemetry
10
None
0
Telemetry showing file deletion event for recycler.exe (tainted by a parent alert on cmd.exe)
Enrichment of PowerShell deleting recylcer.exe with the correct ATT&CK Tactic (Defense Evasion) and Technique (File Deletion) and a suspicious indicator that an executable file was deleted from the system root folder
Telemetry-Tainted
Enrichment
22
None
0
Telemetry showing the file delete event for recycler.exe (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
None
0
Telemetry exported from threat story showing the deletion of recycler.exe was tainted by prior activity because it was under the same Group IDTelemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Execution through API

Execution

(T1106)
8.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
3.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
8.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
9.B.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
8.D.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
9.A.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
2.C.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
12.E.1None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Remote File Copy

Command and Control, Lateral Movement

(T1105)
19.A.1Empire: Built-in upload module executed to write binary (recycler.exe) to disk on CodeRed (10.0.1.5)Telemetry showing filemod (file modification) creation of recycler.exeTelemetry
10
Telemetry showing creation of recycler.exe (tainted by \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts) and powershell.exe behavior contributing to \"Policy Dropper Behavior\" alert
General Behavior alert for \"Policy Dropper Behavior\" based on three correlated events
General Behavior-Configuration Change
Telemetry-Tainted
34
Telemetry showing network connection from 192.168.0.5 (C2 server) used by powershell.exe to transfer recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)
Telemetry showing file write of recycler.exe (parent powershell.exe tainted by previous wscript.exe detection by red line indicating high severity)
Telemetry-Tainted
7
Telemetry showing file create/write of recycler.exe (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Telemetry showing file creation of recycler.exe by powershell.exe (tainted by parent PowerShell alerts)Telemetry-Tainted
7
Telemetry showing the creation of recycler.exeTelemetry
10
Enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy and Tactics, Command and Control, Lateral Movement)
Excerpt from the Managed Defense Report indicating the attacker placed recycler.exe on the system (Specific Behavior)
Continued enrichment of powershell.exe writing recycler.exe with PowerShell File Write alert
Enrichment
Specific Behavior-Delayed
72
Telemetry showing file creation event for recycler.exeTelemetry
10
Telemetry showing file creation of recycler.exe by powershell.exe showing hash and signer information as win.rar GmbH
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Telemetry-Tainted
7
General Behavior alert for executables created to disk by the Windows scripting engine (tainted by a parent alert on wscript.exe)
General Behavior alert for PowerShell dropping an executable file to disk (tainted by a parent alert on wscript.exe)
Telemetry showing the file create and write events for recycler.exe (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
General Behavior-Tainted
General Behavior-Tainted
61
Telemetry showing file write of recycler.exeTelemetry
10
Telemetry showing file write of recycler.exe
Telemetry exported from threat story showing recycler.exe file write tainted by prior activity because it was under the same Group ID
Telemetry-Tainted
7
7.B.1Cobalt Strike: Built-in upload capability executed to write a DLL payload (updater.dll) to disk on Nimda (10.0.1.6)Telemetry showing updater.dll written to diskTelemetry
10
Telemetry showing creation of updater.dll (tainted by the parent \"Powershell process created\" alert)Telemetry-Tainted
7
Additional telemetry showing file write for updater.dll
Telemetry showing file write for updater.dll (tainted by the parent \"unexpected process\" alert)
Telemetry-Tainted
7
Telemetry showing the file write of updater.dll (tainted by a parent alert on cmd.exe, listed as Owner Process)
Parent alert for updater.dll being detected as known malware
Telemetry-Tainted
7
Telemetry showing creation of updater.dll (tainted by parent Malicious File Detection alert)Telemetry-Tainted
7
Enrichment of the creation of updater.dll identifying that a command prompt modified an unknown DLLEnrichment
15
Telemetry showing updater.dll file write (tainted by parent AV signature alert)
Enrichment of updater.dll file write by cmd.exe with alert for CMD File Write (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and related ATT&CK Technique, T1059 - Command-Line Interface, and Tactic, Execution)
Enrichment
Telemetry-Tainted
22
Specific Behavior alert for a new PE file created in the Windows system (System32) folder
Specific Behavior alert for a new dynamic library file created in the Windows system (System32) folder
Specific Behavior
Specific Behavior
120
Telemetry showing file write of updater.dllTelemetry
10
Telemetry showed the file create event for updater.dll
Specific Behavior alert for a script engine creating/writing a DLL in the system32 folder (tainted by a parent process injection alert on cmd.exe)
Specific Behavior alert for a Windows scripting engine creating an executable on disk
Telemetry
Specific Behavior-Tainted
Specific Behavior
127
Telemetry showing file write event of updater.dllTelemetry
10
Telemetry showing file write of updater.dll (tainted by relationship to threat story)Telemetry-Tainted
7
16.E.1Empire: Built-in upload module executed to write malicious VBScript (autoupdate.vbs) to disk on CodeRed (10.0.1.5)Telemetry showing creation and write to autoupdate.vbsTelemetry
10
Telemetry showing powershell.exe creating autoupdate.vbs (tainted by parent \"Powershell executed remote commands\" alerts)Telemetry-Tainted
7
Excerpt from email sent by OverWatch team indicating they observed autoupdate.vbs written (General Behavior)
Telemetry showing File Write and New Script Write for autoupdate.vbs within powershell.exe (tainted by previous detection by orange line indicating medium severity)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing file write of autoupdate.vbs (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Telemetry showing creation of autoupdate.vbs (tainted by parent PowerShell alert)Telemetry-Tainted
7
Telemetry showing the creation of autoupdate.vbsTelemetry
10
Additional details on enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert
Enrichment of powershell.exe writing autoupdate.vbs with PowerShell File Write alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy) and Tactics, Command and Control and Lateral Movement)
Enrichment
15
Telemetry showing the creation of autoupdate.vbs
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell
Telemetry
Enrichment
25
Process tree view of alert on a PowerShell script with suspicious content showing tainted parent powershell.exe process (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing autoupdate.vbs creation (tainted by parent alert on PowerShell script with suspicious content)
Telemetry-Tainted
7
Telemetry showing file create and write events for autoupdate.vbsTelemetry
10
Telemetry showing file write of autoupdate.vbsTelemetry
10
Telemetry showing creation and writes to autoupdate.vbs
Telemetry showing file event for autoupdate.vbs (tainted by relationship to threat story but Group ID not shown in this view)
Telemetry-Tainted
7
14.A.1Empire: UAC bypass module downloaded and wrote a new Empire stager (wdbypass) to diskTelemetry
10
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating PowerShell retrieved the file wdbypass (Specific Behavior)Specific Behavior-Delayed
57
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
Specific Behavior alert for Download & execute of the wdbypass file
Specific Behavior-Tainted
57
Telemetry showing decoded PowerShell with download request of wdbypass over port 8080Telemetry
10
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypass
Specific Behavior alert for PowerShell downloading a significant amount of data using HTTP(S)
Telemetry
Specific Behavior
70
Enrichment of HTTP GET request for wdbypass with PowerShell URL Request alert (tagged with correct ATT&CK Technique, T1105 - Remote File Copy, and Tactic, Command and Control)Enrichment
15
Telemetry showing encoded PowerShell command that could be decoded outside the capability (does not count as a detection)None
0
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments
Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080
Telemetry-Tainted
7
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)None
0
Telemetry showing decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)None
0
None
0
16.G.1Empire: Built-in move capability executed to write malicious VBScript (update.vbs) to disk on Creeper (10.0.0.4)Telemetry showing remote creation and write to update.vbsTelemetry
10
Enrichment of powershell.exe creating update.vbs (tainted by parent \"Powershell executed remote commands\" alerts)Enrichment-Tainted-Configuration Change
9
Telemetry showing update.vbs with event_name NewScriptWritten indicating a write to C$Telemetry
10
Telemetry of file events for write of update.vbs to Creeper (10.0.0.4) (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Telemetry
10
Telemetry showing the creation of update.vbsTelemetry
10
Enrichment of powershell.exe writing update.vbs with File Write to Network Share alert
Excerpt from the Managed Defense Report of the write of the autoupdate.vbs script (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Remote File Copy) and a suspicious indicator that a file was copied to a remote computer via PowerShell
Telemetry showing the creation of update.vbs
Telemetry
Enrichment
25
Telemetry showing file creation of update.vbs on 10.0.0.4 (Creeper)
Parent alert for PowerShell script with suspicious content tainting powershell.exe on CodeRed (alert was generated on many PowerShell script executions throughout the day, specific instance of this procedure not shown in this alert)
Telemetry showing for remote creation of update.vbs on 10.0.0.4 (Creeper) from 10.0.1.5 (CodeRed)
Telemetry-Tainted
7
Specific Behavior alert for a script being modified/moved to a remote location (tainted by a parent alert on wscript.exe)
Telemetry showed file create and write events for update.vbs
Telemetry
Specific Behavior-Tainted
67
None
0
Telemetry showing create file event of update.vbs on 10.0.0.4 (Creeper) (tainted by relationship to threat story but Group ID not shown in this view)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Access Token Manipulation

Defense Evasion, Privilege Escalation

(T1134)
3.A.1Cobalt Strike: Built-in UAC bypass token duplication capability executed to modify current process tokenTelemetry showing svchost.exe activity related to token manipulation
Telemetry showing svchost.exe command line arguments, specifically seclogon
Telemetry
10
Relationships view of alert showing svchost.exe spawning powershell.exe tree (including encoded PowerShell). Red dots indicate malicious behavior and orange indicate suspicious behavior (based off impact value) (does not count as a detection)
Alert for PowerShell process creation (does not count as a detection)
None
0
None
0
Alert for malicious code injection into PowerShell (does not count as a detection)
Telemetry showing the bypassuactoken.x64.dll was loaded (does not count as a detection)
None
0
Telemetry showing powershell.exe spawned with token authentication id 100243447
Telemetry showing svhost.exe seclogon event for token login id 0x5f997f7 (100243447)
Telemetry
10
Telemetry showing logon event for user Debbie with an elevated token
Telemetry showing svchost.exe executed with the seclogon command-line argument
Telemetry
10
Telemetry showing svchost.exe seclogon event for token login ID 0xfcf5fd
Telemetry showing group membership of token logon ID 0xfcf5fd, which includes S-1-16-12288 (High Mandatory Level)
Telemetry-Configuration Change
7
Telemetry showing a New Credentials logon event for user Debbie
Telemetry showing svchost.exe, with the seclogon command-line argument
Telemetry-Delayed
7
Telemetry showing svchost.exe execution with seclogon command-line argument then subsequent powershell.exe
Alert for \'Suspicious PowerShell command-line\' showing tainted association via a process tree containing svchost.exe and elevated powershell.exe
Telemetry-Tainted
7
Telemetry showing logon event with an elevated token and new logon ID
Telemetry showing svchost.exe executed with the seclogon command-line argument
Telemetry
10
None
0
None
0
5.B.1Cobalt Strike: Built-in token theft capability executed to change user context to GeorgeTelemetry showing parent cmd.exe process running under user context Debbie
Telemetry showing child cmd.exe process running under user context George
Telemetry
10
None
0
Telemetry showing children of the compromised process (PID 21898821890) first running as Debbie, then as GeorgeTelemetry
10
Telemetry within the process tree showing cmd.exe associated with users Debbie and George (tainted by a parent alert on explorer.exe)Telemetry-Tainted
7
Telemetry showing the cmd.exe that spawned as user George from rundll32.exe running as user Debbie (tainted by parent Privilege Escalation alert)
Specific Behavior alert on Privilege Escalation showing a process spawning (cmd.exe) with different tokens than the parent (rundll32.exe) (mapped to the correct ATT&CK Technique, T1134 - Access Token Manipulation, and Tactics, Privilege Escalation and Defense Evasion)
Specific Behavior
Telemetry-Tainted
67
Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulationTelemetry
10
Telemetry showing the user George executing reg.exe with command-line arguments during Step 6
Telemetry showing the user Debbie executing net.exe with command-line arguments during Step 4
Telemetry
10
Telemetry showing a change in user execution context from Debbie to George between processesTelemetry
10
Alert for suspicious process injection showing tainted association via a process tree containing subsequent cmd.exe processes (inner failure message in screenshot not relevant to tested functionality)
Telemetry showing resulting cmd.exe running as user George
Telemetry showing svchost.exe invocation with seclogon flag subsequently running cmd.exe as SYSTEM
Telemetry-Tainted
7
Telemetry showing a cmd.exe associated with user Debbie spawn a cmd.exe associated with user George, indicating user context change via token manipulation (tainted by a parent process injection alert on cmd.exe)Telemetry-Tainted
7
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Scripting

Defense Evasion, Execution

(T1064)
1.A.1Previously executed self-extracting archive (Resume Viewer.exe) launched an embedded batch file (pdfhelper.cmd)Telemetry from process tree showing cmd.exe running the pdfhelper.cmd script
Enrichment of cmd.exe executing pdfhelper.cmd with correct ATT&CK Technique (T1064 - Scripting)
Telemetry
Enrichment
25
Telemetry showing cmd.exe running pdfhelper.cmd (tainted by the Script File Created alert) Telemetry-Tainted
7
Telemetry showing pdfhelper.cmd execution
OverWatch General Behavior alert indicating pdfhelper.cmd execution was suspicious
General Behavior-Delayed
Telemetry
37
Telemetry showing cmd.exe launching pdfhelper.cmd (tainted by parent alert on explorer.exe)Telemetry-Tainted
7
Telemetry showing pdfhelper.cmd spawned as a child process of Resume Viewer.exe (tainted by parent Malicious File Detection alert)
Telemetry showing cmd.exe process creation and execution of pdfhelper.cmd (tainted by parent Malicious File Detection alert)
Telemetry-Tainted
7
Telemetry showing the execution of pdfhelper.cmdGeneral Behavior
Telemetry
40
Telemetry showing the child cmd.exe process running the pdfhelper.cmd scriptTelemetry
10
Process tree within trace detection containing cmd.exe executing pdfhelper.cmd (tainted by a parent alert on Resume Viewer.exe)
Telemetry showing pdfhelper.cmd execution
Telemetry-Tainted
7
Telemetry within the process tree showing the child cmd.exe process running the script pdfhelper.cmdTelemetry
10
Specific Behavior alert for execution of Windows script engine tagged with the correct ATT&CK Technique (Scripting)
Telemetry showing cmd.exe launching pdfhelper.cmd
Telemetry
Specific Behavior
70
Telemetry showing Resume Viewer.exe execution (does not count as a detection)None
0
Telemetry from process tree showing the child cmd.exe process running the script pdfhelper.cmd (tainted by relationship to threat story)Telemetry-Tainted
7
11.A.1Legitimate user Bob clicked and executed malicious VBScript (autoupdate.vbs) on 10.0.1.5 (CodeRed)Enrichment of wscript.exe and powershell.exe with correct ATT&CK Techniques (T1063 - Scripting, T1086 - Powershell)
Specific Behavior alerts for Powershell scripting
Telemetry showing process tree of script execution
Enrichment
Telemetry
Specific Behavior
Specific Behavior
145
Telemetry showing powershell.exe creation from wscript.exe (tainted by the parent Script File Created alert)
Telemetry showing script execution (tainted by the parent Script File Created alert)
Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating a malicious script was run (Specific Behavior)
General Behavior alert from OverWatch for wscript.exe executing launcher.vbs was suspicious
Specific Behavior alert for PowerShell sharing characteristics with known exploit kits
Specific Behavior
General Behavior-Delayed
Telemetry
Specific Behavior-Delayed
154
Specific Behavior alert for powershell.exe, labeled with Command and Control and Malicious use of PowerShell
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent PowerShell alert)
Specific Behavior alert tagged as obfuscated PowerShell payload and downloader mapped to the correct ATT&CK Tactic (Execution) and Technique (PowerShell)
Specific Behavior
Telemetry-Tainted
67
Specific Behavior alert for powershell.exe also showing telemetry for script execution (mapped to related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)
Specific Behavior alert for wscript.exe launching powershell.exe (mapped to the correct ATT&CK Technique, T1064 - Scripting, and Tactic, Execution)
Specific Behavior
Telemetry-Tainted
Specific Behavior
127
Specific Behavior alert for PowerShell executing a long, encoded command
Telemetry showing wscript.exe executing autoupdate.vbs and subsequently powershell.exe
Enrichment of wscript.exe executing powershell.exe with a tag indicating that wscript executed code
Telemetry
Enrichment
Specific Behavior
85
Indicator of Compromise alert for EMPIRE RAT (tagged with related ATT&CK Technique, T1086 - PowerShell)
Enrichment of wscript.exe with Wscript Execution alert (tagged with correct ATT&CK Technique, T064 - Scripting, and Tactic, Execution)
Additional details on Specific Behavior alert for Suspicious PowerShell Usage
Specific Behavior alert for Suspicious PowerShell Usage showing powershell.exe execution (tagged with related ATT&CK Technique, T1086 - PowerShell, and correct Tactic, Execution)
Specific Behavior
Enrichment
Indicator of Compromise
95
Specific Behavior alerts and enrichments for wcript.exe and powershell.exe
Telemetry showing wscript.exe (executing autoupdate.vbs) then spawning powershell.exe (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Specific Behavior
Specific Behavior
Enrichment
Enrichment
Specific Behavior
Specific Behavior
277
Process tree of alert showing containing malicious PowerShell cmdlets related to Empire
Telemetry showing PowerShell script metadata and decoded command-line arguments
Specific Behavior alert for \"Suspicious PowerShell command-line\"
Specific Behavior alert for \"PowerShell script with suspicious content\" detected through Antimalware Scan Interface extracted content
Specific Behavior alert for PowerShell script with malicious cmdlets
Telemetry showing execution of autoupdate.vbs script
Telemetry showing execution of wscript.exe
Telemetry showing execution of PowerShell cmdlets from wscript.exe
Telemetry
Specific Behavior
Specific Behavior-Delayed
Specific Behavior
187
Specific Behavior alert for execution of the windows script engine tagged with the correct ATT&CK Technique (Scripting)
Telemetry showing powershell.exe running with command-line arguments (tainted by a parent alert on wscript.exe)
Telemetry showing wscript.exe executing autoupdate.vbs (tainted by a parent alert on wscript.exe)
Specific Behavior alert for suspicious PowerShell activity
Specific Behavior alert for PowerShell (execution) tagged with a related Technique (PowerShell)
Specific Behavior alert for PowerShell execution with base64 encoded commands
Indicator of Compromise alert identifying PowerShell Empire
Indicator of Compromise alerts for suspicious PowerShell strings
Specific Behavior
Specific Behavior
Specific Behavior
Indicator of Compromise
Indicator of Compromise
Specific Behavior
Telemetry-Tainted
287
Telemetry showing the autoupdate.vbs script executed by wscript.exeTelemetry
10
General Behavior alert for execution of autoupdate.vbs listed as an active threat
Telemetry showing wscript.exe and powershell.exe
Telemetry
General Behavior
40
12.E.1Empire: Built-in WinEnum module executed to programmatically execute a series of enumeration techniquesTelemetry showing dynamically loaded libraries (modloads) that may indicate PowerShell functionality
Telemetry showing powershell.exe execution
Telemetry
10
Telemetry showing powershell.exe execution and connection to the domain controller 10.0.0.4 (Creeper)Telemetry
10
Telemetry showing the temp write of the ps1 script
Email excerpt from OverWatch team indicating they observed an unidentified PowerShell script running (Specific Behavior)
OverWatch Specific Behavior alert indicating the PowerShell script was malicious
Telemetry
Specific Behavior-Delayed
Specific Behavior-Delayed
124
Specific Behavior alert for Malicious use of PowerShell (tainted by a parent PowerShell alert)
Telemetry showing the temp write of the psm1 script module (tainted by a parent PowerShell alert)
Specific Behavior alert for a PowerShell Malicious command, identified as the Invoke-WinEnum function
Specific Behavior-Tainted
Telemetry-Tainted
64
Specific Behavior alert for \"PowerShell with Unusual Arguments\" (tagged with correct ATT&CK Technique, T1086 - PowerShell, and Tactic, Execution; tainted by parent PowerShell alerts)
Telemetry pulled by Interactive Shell showing the contents of the WinEnum script (does not count as a detection)
Telemetry showing powershell.exe execution (ID 2397532) (tainted by parent PowerShell alerts)
Specific Behavior-Tainted
Telemetry-Tainted
64
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
Enrichment of powershell.exe with PowerShell Execution alert (tagged with related ATT&CK Technique T1086 - PowerShell)
Excerpt from the Managed Defense Report indicating a PowerShell command was run from Empire (Specific Behavior)
Enrichment
Specific Behavior-Delayed
72
Telemetry showing the PowerShell script (.ps1) being written to the temp folderTelemetry
10
Additional telemetry showing powershell.exe execution sequence resulting from WinEnum
Telemetry showing powershell.exe execution sequence resulting from WinEnum
Process tree view of \"Suspicious sequence of exploration activities\" alert showing tainted powershell.exe process
Specific Behavior alert for \"A malicious PowerShell Cmdlet was invoked on the machine\"
Process tree under alert \"A malicious PowerShell Cmdlet was invoked on the machine\" showing Invoke-Empire and Invoke-WinEnum
Telemetry-Tainted
Specific Behavior
67
Telemetry showing powershell.exe executing with command-line arguments as well as PowerShell module (.psm) and script (.ps1) files being written to disk (tainted by a parent alert on wscript.exe)
Specific Behavior alert for PowerShell execution with base64 encoded commands (tainted by a parent alert on wscript.exe)
Indicator of Compromise alert identifying suspicious PowerShell strings as Empire WinEnum
Telemetry-Tainted
Specific Behavior-Tainted
Indicator of Compromise
84
Telemetry showing a PowerShell script written to diskTelemetry
10
Telemetry showing encoded PowerShell script (tainted Group ID not shown but was the search parameter)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Credential Dumping

Credential Access

(T1003)
5.A.1Cobalt Strike: Built-in Mimikatz credential dump capability executedSpecific Behavior alert showing correct ATT&CK Technique (Credential Dumping)
Telemetry showing cross process events, specifically a handle to open thread into lsass.exe
Telemetry
Specific Behavior
70
Alert showing DDNA Scan for svchost.exe (does not count as a detection)
Alert showing additional DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)
Alert showing DDNA Scan details for svchost.exe, including that it appears to inject code into another process (does not count as a detection)
None
0
Specific Behavior alert for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )Specific Behavior-Tainted
Telemetry
General Behavior-Delayed-Tainted
91
Specific Behavior alert with correct ATT&CK Tactic (Credential Access) and related Technique (Process Injection) with details about svchost.exe accessing lsassSpecific Behavior
60
Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)Specific Behavior
60
None
0
None
0
None
0
Alert for suspicious process injection showing tainted association via a process tree containing svchost.exe (inner failure message in screenshot not relevant to tested functionality)
Specific Behavior alert description for sensitive credential memory read
Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe
Process tree for sensitive credential memory read alert
Enrichment-Tainted
Specific Behavior-Delayed
69
A Specific Behavior alert for a suspicious handle being opened to lsass.exe to dump password, tagged with the correct ATT&CK Technique (Credential Dumping)Specific Behavior
60
None
0
None
0
5.A.2Cobalt Strike: Built-in hash dump capability executedTelemetry showing cross process events, specifically a handle to open thread into lsass.exeTelemetry
10
Telemetry showing thread create to lsass.exe (tainted by the parent \"Powershell process created\" and \"Policy Remote Process Compromise\" alerts)Telemetry-Tainted
7
Process tree view of Specific Behavior alerts for Credential Dumping and OverWatch General Behavior alert (tainted by previous detection by orange line indicating medium severity )
Two Specific Behavior alerts for Credential Dumping (mapped to correct ATT&CK Technique, Credential Dumping, and Tactic, Credential Access) and General Behavior OverWatch alert
Specific Behavior-Tainted
Specific Behavior-Tainted
Telemetry
General Behavior-Delayed-Tainted
148
Parent alert for svchost.exe injecting into lsass.exe, labeled as Malicious Code Injection
Telemetry showing svchost.exe process injection into lsass.exe (tainted by a parent injection alert)
Telemetry within alert showing loaded hashdumpx64.dll as floating executable code
Telemetry-Tainted
7
Specific Behavior alert mapped to the correct ATT&CK Technique (Credential Dumping)Specific Behavior
60
Enrichment of svchost.exe injecting a thread into lsass.exe with a tag identifying credential dumpingEnrichment
15
None
0
None
0
Alert for process injection into lsass.exe tainting this event (inner failure message in screenshot not relevant to tested functionality)
Enrichment showing Exploit Guard audit of svchost.exe extracting credentials from lsass.exe
Enrichment-Tainted
12
Specific Behavior alert for svchost dumping credentials via the Registry tagged with the correct ATT&CK Technique (Credential Dumping)
Telemetry showing a code injection into lsass.exe (tainted by a parent process injection alert on cmd.exe)
Telemetry-Tainted
Specific Behavior
67
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Exfiltration Over Command and Control Channel

Exfiltration

(T1041)
9.B.1Cobalt Strike: Download capability exfiltrated data through existing C2 channelNone
0
None
0
None
0
Telemetry showing a port 445 connection between Nimda (10.0.1.6) and the source of the file on Conficker (10.0.0.5) (does not count as detection)None
0
None
0
None
0
DNS requests to freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)None
0
None
0
None
0
Port 53 network traffic to/from freegoogleadsenseinfo.com (C2 domain) (does not count as a detection)None
0
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Registry Run Keys / Startup Folder

Persistence

(T1060)
10.A.1Batch file (autoupdate.bat) previously written to Startup folder executed when user Debbie logs on to Nimda (10.0.1.6), launching a DLL payload (update.dat) using Rundll32Telemetry from process tree showing cmd.exe executing autoupdate.bat from Startup folderTelemetry
10
Telemetry showing cmd.exe starting rundll32.exe
Telemetry showing explorer.exe creating cmd.exe and executing .bat from startup
Telemetry
10
Telemetry showing cmd.exe running autoupdate.bat from Startup folderTelemetry
10
Parent alert for Injected shellcode into rundll32.exe
Telemetry showing rundll32.exe executing autoupdate.bat from the Startup folder (tainted by a parent Injected Shellcode alert)
Telemetry-Tainted
7
Telemetry showing rundll32.exe executing update.dat (tainted by parent \"RunDLL32 with Suspicious DLL Location\" alert)Telemetry-Tainted
7
Telemetry showing cmd.exe executing autoupdate.bat from the Startup folder
Specific Behavior alert for a batch file automatically being started from the Startup folder.
Specific Behavior
Telemetry
70
Enrichment of cmd.exe executing from Startup with Process Execution Startup alert (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Startup Folder and Tactic, Persistence)
Telemetry showing cmd.exe executing autoupdate.bat from Startup folder
Telemetry showing rundll32.exe executing update.dat (tainted by parent Rundll32 Execution alert)
Additional details of rundll32.exe telemetry
Excerpt from the Managed Defense Report indicating autoupdate.bat persisted due to its presence in startup (Specific Behavior)
Enrichment
Telemetry
Telemetry-Tainted
Specific Behavior-Delayed
89
Telemetry showing cmd.exe executing autoupdate.bat then update.dat via rundll32.exeTelemetry
10
Telemetry showing Startup folder execution sequence for autoupdate.bat on user logonTelemetry
10
Telemetry showing cmd.exe executing autoupdate.bat from the Startup folderTelemetry
10
Telemetry showing the execution of autoupdate.bat from the Startup FolderTelemetry
10
Group ID query showing both autoupdate.bat and updater.dll persistence execution
Telemetry showing execution of autoupdate.bat from the Startup folder
Telemetry
10
1.B.1Previously executed batch file (pdfhelper.cmd) moved a separate batch file (autoupdate.bat) to the Startup folderTelemetry showing filemods indicating update.bat was written to the Startup folder
Enrichment of cmd.exe with correct ATT&CK Technique (T1060 - Registry Run Keys/Start Folder)
Telemetry
Enrichment
25
Telemetry showing autoupdate.bat created in Startup folderTelemetry
10
Telemetry showing Registry modification related to Startup FolderTelemetry
10
Process tree showing the cmd.exe associated with the autoupdate.bat file event (tainted by parent alert on explorer.exe)
Telemetry showing rename file event for autoupdate.bat
Telemetry-Tainted
7
\"Detected Persistence - Start Folder Persistence\" Specific Behavior alert related to autoupdate.bat (tagged with correct ATT&CK Technique, T1060 - Registry Run Keys / Start Folder, and Tactic, Persistence; tainted by cmd.exe generating the alert)
Telemetry showing autoupdate.bat written to the Start Menu (tainted by parent Malicious File Detection alert)
Telemetry-Tainted
Specific Behavior-Tainted
64
Telemetry showing the autoupdate.bat within the Startup folderTelemetry
10
Telemetry showing autoupdate.bat file written to the Startup folder
Enrichment of autoupdate.bat being written to Startup with Persistence category
Additional details on enrichment of autoupdate.dat
Excerpt from the Managed Defense Report indicating the backdoor persisted via autoupdate.bat being written to the Startup directory (Specific Behavior)
Telemetry
Enrichment
Specific Behavior-Delayed
82
Specific Behavior alert for "An exe/bat/lnk/dll file has been copied or renamed in the Windows Startup Folder" for persistence based on pdfhelper.cmd, tagged with the correct ATT&CK Tactic (Persistence) and Technique (Registry Run Keys / Start Folder)Specific Behavior
60
Telemetry showing write of autoupdate.bat to startup folderTelemetry
10
Enrichment of a file being created in the Startup folder tagged with the correct ATT&CK Technique (Registry Run Keys / Start Folder) (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing autoupdate.bat being moved to the user Debbie's Startup folder (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Enrichment-Tainted-Configuration Change
16
Telemetry showing cmd.exe \"rename to executable\" event for autoupdate.bat in Startup folderTelemetry
10
Telemetry showing autoupdate.bat write to the Startup folder (tainted by relationship to threat story)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Graphical User Interface

Execution

(T1061)
7.A.1Microsoft Management Console (Local Users and Groups snap-in) GUI utility used to add new user through RDP connectionTelemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Telemetry showing mmc.exe process executing lusrmgr.msc (tainted by the parent \"LSA Registry Key modified\" alert) Telemetry-Tainted
7
Telemetry showing mmc.exe running lursmgr.mscTelemetry
10
Telemetry showing lusrmgr.msc running from mmc.exeTelemetry
10
Telemetry showing mmc.exe running lursmgr.mscTelemetry
10
Telemetry showing mmc.exe running lursmgr.mscTelemetry
10
Telemetry showing mmc.exe spawning lusrmgr.exe Telemetry
10
Telemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Telemetry showing mmc.exe running lusrmgr.mscTelemetry
10
Enrichment of the Local Users and Groups snap-in (lusrmgr.msc) executing with the correct ATT&CK Technique (Graphical User Interface)
Telemetry showing lusrmgr.msc running from mmc.exe
Telemetry
Enrichment
25
None
0
None
0
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Exfiltration Over Alternative Protocol

Exfiltration

(T1048)
19.C.1Empire: Sequence of 'echo' commands via PowerShell to populate commands in text file (ftp.txt), which is then executed by FTP to exfil data through network connection separate of existing C2 channelEnrichment of ftp.exe with correct ATT&CK Technique (Exfil Over Alternate Protocol)
Telemetry from process tree showing execution of ftp.exe with command-line arguments
Telemetry
Enrichment
25
Telemetry showing powershell.exe executing ftp.exe (tainted by the parent \"Powershell executed encoded commands\" alert)
Telemetry showing outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by the parent \"PowerShell executed encoded commands\" alert)
Telemetry-Tainted
7
Email excerpt sent by OverWatch team indicating they observed the collected files being exfiltrated via FTP (Specific Behavior)
OverWatch General Behavior alert indicating ftp.exe executing with ftp.txt was suspicious (tainted by previous powershell.exe detection by red line indicating high severity)
General Behavior-Delayed-Tainted
Telemetry
Specific Behavior-Delayed
91
Enrichment of ftp.exe execution with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Enrichment of ftp.exe execution in process tree with related ATT&CK Tactic (Command and Control) and Techniques (Commonly Used Port, Standard Application Layer Protocol) (tainted by a parent PowerShell alert)
Continuation of enrichment of ftp.exe execution in process tree showing command-line arguments
Continuation of enrichment of ftp.exe execution showing total number of bytes transmitted
Enrichment-Tainted
Telemetry
22
Telemetry showing the ftp.exe with command-line arguments including ftp.txt and subsequent connection to 192.168.0.4 (C2 server) on port 21Telemetry-Tainted
7
A Specific Behavior alert for the execution of ftp.exe with a command file option by an unusual parent process and could be used for exfiltration
Telemetry showing ftp.exe with ftp.txt as an argument as well as an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21
Specific Behavior
Telemetry
70
Enrichment of ftp.exe executing the ftp.txt file with FTP Utility Execution alert (tagged with the correct ATT&CK Software, S0095 - FTP)
Excerpt from the Managed Defense Report showing the writing of FTP command to ftp.txt and the subsequent execution of the ftp.txt file (Specific Behavior)
Enrichment of TCP port 21 connection to 192.168.0.4 (C2 server) (tagged with correct ATT&CK Technique, T1048 - Exfiltration Over Alternative Protocol and, Tactic, Exfiltration)
Enrichment of ftp.exe executing ftp.exe based on the use of the -s argument with FTP Utility Execution alert
Enrichment
Enrichment
Enrichment
Specific Behavior-Delayed
102
Enrichment of powershell.exe executing ftp.exe with the correct ATT&CK Tactic (Exfiltration) and Technique (Exfiltration over Alternative Protocol) and a suspicious indicator that a connection was made to a remove server via the ftp protocol
Telemetry showing cmd.exe executing ftp.exe, which made an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a trace detection on cmd.exe)
Telemetry-Tainted
Enrichment
22
Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 21
Telemetry showing powreshell.exe running ftp.exe and the subsequent connection to 192.168.0.4 (C2 server) on port 20
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Telemetry-Tainted
7
Telemetry showing ftp.exe execution (tainted by a parent alert on wscript.exe)
Enrichment of ftp.exe as the execution of a CLI file transfer/copy utility (tainted by a parent alert on wscript.exe)
Telemetry showing an outbound FTP connection to 192.168.0.4 (C2 server) on TCP port 21 (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
19
Telemetry showing the execution ftp.exeTelemetry
10
Telemetry showing the execution of ftp.exe with ftp.txt associated to prior lateral movement threat story by Group IDTelemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Security Software Discovery

Discovery

(T1063)
12.E.1.10.2Empire: WinEnum module included enumeration of firewall rulesNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the Firewall Rules function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Enrichment of powershell.exe executing with command-line arguments with the correct ATT&CK Technique (Security Software Discovery)Enrichment
15
None
0
None
0
12.E.1.10.1Empire: WinEnum module included enumeration of AV solutionsNone
0
None
0
None
0
None
0
Interactive Shell events showing the WinEnum script and the AV Solution function (does not count as a detection due to manual process of pulling events)None
0
Telemetry showing the full contents of the executed Invoke-WinEnum PowerShell functionTelemetry
10
None
0
None
0
None
0
Telemetry showing an event log for the WMI query of the system AV productsTelemetry
10
None
0
Telemetry showing powershell.exe WMI queries for antivirus product information (tainted by relationship to threat story)
Enrichment of powershell.exe with action \"attempted to find other installed security software\" (tainted Group ID not shown but was the search parameter)
Enrichment-Tainted
Telemetry-Tainted
19
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Data Compressed

Exfiltration

(T1002)
19.B.1Empire: Executed binary (recycler.exe) created compressed archive (old.rar) of previously collected fileEnrichment of recycler.exe with correct ATT&CK Technique (1002 - Data Compressed)
Process tree with telemetry showing recycler.exe and command-line arguments
Telemetry showing filemod (file modification) creation of old.rar output of recycler.exe
Telemetry
Enrichment
25
Enrichment showing recycler.exe creating old.rar (enriched with \"Data Exfiltration Archiving\", tainted by parent \"Powershell executed encoded command\" alerts)
Telemetry showing recycler.exe with full command-line (tainted by parent \"Powershell executed encoded commands\" and \"Policy Dropper Behavior\" alerts)
Enrichment-Tainted-Configuration Change
Telemetry-Tainted
16
Specific Behavior alert on RAR archive written (mapped to correct ATT&CK Technique, Data Compressed, and Tactic, Exfiltration; tainted by previous powershell.exe detection by red line indicating high severity)
Email excerpt sent by OverWatch team indicating they observed a .vsdx file archived using the renamed RAR binary, recycler.exe (Specific Behavior)
Additional details of recycler.exe from the alert showing it was signed by win.rar GmbH
Specific Behavior-Tainted
Telemetry
Specific Behavior-Delayed
124
Telemetry showing recycler.exe execution (tainted by a parent PowerShell alert)Telemetry-Tainted
7
Enriched event tree showing enrichment of recycler.exe and creation of old.rar output with related ATT&CK Technique (T1022 - Data Encrypted) and Tactic (Exfiltration) (tainted by Windows Script Executing PowerShell alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert for the execution of recycler.exe named \"Exfiltration-Encrypting Files with WinRar\" (tainted by Windows Script Executing PowerShell alert)
Specific Behavior-Tainted
Telemetry-Tainted
Enrichment-Delayed-Tainted
73
General Behavior alert showing that a spawned process (recycler) has been tagged for monitoring because its parent process has a detection (powershell.exe)
Telemetry showing the creation of old.rar as the output of recycler.exe running
Telemetry showing recycler.exe execution
Telemetry
General Behavior
40
Enrichment of -hp command line with Possible Encrypted RAR Archive Command alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed)
Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
General Behavior alert for Execution from Suspicious Directory
General Behavior alert for File Write To Root Of Recycle Bin
Enrichment of RAR file write with RAR Archive Created alert (tagged with correct ATT&CK Technique, T1002 - Data Compressed, and Tactic, Exfiltration)
Excerpt from the Managed Defense Report indicating the attacker executed recycler.exe to create an encrypted RAR file (Specific Behavior)
General Behavior
Enrichment
Enrichment
General Behavior
Enrichment
Specific Behavior-Delayed
162
Telemetry showing the execution of recycler.exe with command-line arguments (tainted by a parent alert on cmd.exe)
Telemetry showing the creation of old.rar (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line arguments for file encryption and compression
Alert description for PowerShell script with a suspicious command-line that tainted this event (alert specific to this instance not shown)
Telemetry-Tainted
7
Telemetry showing recycler.exe execution (tainted by a parent alert on wscript.exe)Telemetry-Tainted
7
Telemetry showing execution of recycler.exe with command-line argumentsTelemetry
10
Telemetry exported from threat story showing execution of recycler.exe was tainted by prior activity because it was under the same Group ID
Telemetry showing the execution of recycler.exe
Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Commonly Used Port

Command and Control

(T1043)
6.B.1Cobalt Strike: C2 channel modified to use port 80Telemetry showing network connection over port 80 to 192.168.0.4 (C2 server)
Enrichment of rundll32.exe TCP port 80 network connections with correct ATT&CK Technique (T1043 - Commonly Used Port)
Telemetry
Enrichment
25
Telemetry showing outbound traffic to 192.168.0.4 (C2 server) over TCP port 80 (tainted by parent \"Sponsor Process Established Network Connection\" alert)Telemetry-Tainted
7
Telemetry showing TCP port 80 connection to 192.168.0.4 (C2 server)Telemetry
10
Telemetry showing rundll32.exe opening a connection over port 80 (tainted by a parent Injected Shellcode alert, listed as Owner process)
Enrichment of rundll32.exe making a connection over the \"HTTP Port\" with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent Injected Shellcode alert)
Enrichment-Tainted
Telemetry-Tainted
19
Telemetry showing a TCP port 80 connection from rundll32.exe
Telemetry showing port 80 traffic (tainted by the parent Malicious File Detection alert)
Telemetry-Tainted
7
Telemetry showing network connections over port 80 to 192.168.0.4 (C2 server)Telemetry
10
Excerpt from the Managed Defense Report identifying C2 traffic communicating over TCP port 80 to www.freegoogleadsenseinfo.com (C2 domain) (General Behavior)
Telemetry showing port 80 connections to 192.168.0.4 (C2 server)
Telemetry
General Behavior-Delayed
37
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)
Enrichment of rundll32.exe (the process that made the network connection) with the correct ATT&CK Tactic (Command and Control) and the Technique (Commonly Used Port)
Telemetry
Enrichment
25
Telemetry showing execution sequence for rundll32.exe opening network connection
Incident graph from \"Unexpected process behavior\" alert (resulting from rundll32.exe) showing tainted network connection
Telemetry-Tainted
7
Telemetry showing port 80 command and control trafficTelemetry
10
Telemetry showing TCP port 80 connections to freegoogleadsenseinfo.com (C2 domain)Telemetry
10
Telemetry showing port 80 connection to 192.168.0.4 (C2 server) (tainted by relationship to rundll32 parent process linked by Group ID but not shown in this view)Telemetry-Tainted
7
1.C.1Cobalt Strike: C2 channel established using port 53Telemetry showing network connection over UDP port 53Telemetry
10
None
0
OverWatch alert showing suspicious DNS traffic (does not count as a detection)None
0
Telemetry showing port 53 command and control trafficTelemetry
10
None
0
None
0
Telemetry showing port 53 command and control traffic
Excerpt from the Managed Defense Report indicating command and control occurred over UDP port 53 (Specific Behavior)
Telemetry
Specific Behavior-Delayed
67
None
0
Telemetry showing DNS requests to the C2 domain (custom query) (does not count as a detection)None
0
Specific Behavior alert for a scripting engine (rundll32.exe) making a network connection over DNS ports (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry showing port 53 command and control traffic (tainted by a parent alert related to Resume Viewer.exe and suspicious execution of the Windows Scripting Engine)
Telemetry-Tainted
Specific Behavior-Tainted
64
None
0
None
0
14.A.1Empire: UAC bypass module downloaded a new Empire stager (wdbypass) over port 8080Telemetry showing network connection to 192.168.0.5 (C2 server) over TCP port 8080Telemetry
10
Telemetry showing port 8080 HTTP GET request to C2 domain for file wdbypass (tainted by the parent \"Powershell executed encoded commands\" alert)Telemetry-Tainted
7
Telemetry showing IEX connection over to 192.168.0.5 (C2 server) on TCP port 8080Telemetry
10
Specific Behavior alert showing decoded PowerShell with download request of wdbypass over HTTP port 8080
Specific Behavior alert for powershell.exe mapped to the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) (tainted by a parent PowerShell alert)
Specific Behavior-Tainted
Telemetry
67
Telemetry showing decoded PowerShell with download request of wdbypass over port 8080
General Behavior alert for Command and Control associated with network traffic from PowerShell over TCP port 8080
General Behavior
Telemetry
40
Telemetry showing powershell.exe making an HTTP GET request over port 8080 to freegoogleadsenseinfo.com (C2 domain) for the file wdbypassTelemetry
10
Telemetry showing TCP port 8080 connection to freegoogleadsenseinfo.com (C2 domain) (tainted by parent PowerShell URL Request alert)
Excerpt from the Managed Defense Report indicating Empire communicated over port 8080 (General Behavior)
Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 8080 (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Telemetry showing a network connection to 192.168.0.5 (C2 server) over TCP port 8080Telemetry
10
Telemetry showing decoded PowerShell script with download HTTP request of wdbypass over port 8080 and tainted relationship to alert on suspicious PowerShell command-line arguments
Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080
Telemetry-Tainted
7
Telemetry showing an outgoing network connection to www.freegoogleadsenseinfo.com (C2 domain) over port 8080Telemetry
10
Telemetry of decoded PowerShell showing download request over HTTP (does not count as a detection due to decoding outside of capability)
Telemetry showing network connection to 192.168.0.5 (C2 server) over port 8080
Telemetry
10
Telemetry showing network connections over port 8080 in the filter (tainted by relationship to threat story but Group ID not shown in this view)Telemetry-Tainted
7
11.B.1Empire: C2 channel established using port 443Enrichment of backgroundtaskhost.exe and powershell.exe with correct ATT&CK Technique (T1043 - Commonly Used Port)
Telemetry showing network connections, including over TCP port 443
Enrichment
Telemetry
25
Telemetry showing powershell.exe making a network connection over TCP port 443Telemetry
10
Telemetry showing powershell.exe making a network connection over port 443 (tainted by parent powershell.exe high severity alert indicated by red icon)Telemetry-Tainted
7
Enrichment of powershell.exe making a connection over a ”HTTP Port," tagged with the correct ATT&CK Technique (Commonly Used Port) and Tactic (Command and Control) (tainted by a parent PowerShell alert)
Telemetry showing powershell.exe making outgoing connection to 192.168.0.5 (C2 Server) over port TCP port 443 (tainted by a parent PowerShell alert)
Telemetry showing decoded PowerShell command with command-line arguments (tainted by a parent PowerShell alert)
Enrichment-Tainted
Telemetry-Tainted
19
Telemetry showing decoded powershell.exe command-line arguments (tainted by parent alert)
Telemetry showing powershell.exe making connections over port 443 (tainted by parent alert)
Specific Behavior alert for \"PowerShell Making Network Connections\" (mapped to correct ATT&CK Tactic, Command and Control)
Event tree view of Specific Behavior alert for \"Command and Control PowerShell Network\"(tainted by parent alert)
Telemetry-Tainted
Specific Behavior-Tainted
64
Telemetry showing a network connection over TCP port 443 to www.freegoogleadsenseinfo.com (C2 domain)Telemetry
10
Excerpt from the Managed Defense Report indicating Empire communicated over port 443 (General Behavior)
Telemetry showing powershell.exe communicating over TCP port 443 (tainted by parent PowerShell Network Connection alert)
Additional excerpt from the Managed Defense Report indicating Empire was configured to communicate over port 443 (General Behavior)
Telemetry-Tainted
General Behavior-Delayed
34
Enrichment of powershell.exe with the correct ATT&CK Tactic (Command and Control) and Technique (Commonly Used Port) and a suspicious indicator that powershell.exe accessed a known TCP port
Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Specific Behavior
Enrichment
82
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server)
Telemetry showing powershell.exe communicating over TCP port 443
Telemetry within alert showing decoded command-line arguments containing port 443 and tainted relationship to the powershell.exe process
Telemetry-Tainted
7
Enrichment of the port 443 network connection with the correct ATT&CK Technique (Commonly Used Port) (tainted by a parent alert on wscript.exe)
Telemetry showing port 443 network connections to www.freegoogleadsenseinfo.com (C2 domain) (tainted by a parent alert on wscript.exe)
General Behavior alerts for PowerShell making network connections to the internet as well as Wscript connecting to an external network (tainted by a parent alert on wscript.exe)
Telemetry-Tainted
Enrichment-Tainted
General Behavior-Tainted
46
Telemetry showing network connections, including over port 443 (does not count as a detection)None
0
Telemetry showing powershell.exe communicating to 192.168.0.5 (C2 server) over TCP port 443 (Group ID tainted the event but was not shown in this view)Telemetry-Tainted
7
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
Accessibility Features

Persistence, Privilege Escalation

(T1015)
17.C.1Empire: 'copy' via PowerShell to overwrite magnify.exe with cmd.exeSpecific Behavior alert on powershell.exe when it replaced magnify.exe (mapped to correct ATT&CK Technique, T1015 - Accessibility Features)
Telemetry showing creation and file write replacing magnify.exe in the system directory
Telemetry
Specific Behavior
70
Telemetry showing copy of cmd.exe to magnify.exe in the system directory (tainted by the parent \"New Windows service created\" alert)
Enrichment showing powershell.exe creating and writing magnify.exe (enriched with condition \"Creation of Sticky Keys File\", tainted by the parent \"New Windows service created\" alert)
Enrichment-Tainted-Configuration Change
Telemetry-Tainted
16
Additional view of telemetry showing the magnify.exe file write
Telemetry showing file write of magnify.exe by powershell.exe (tainted by parent powershell.exe high severity alert indicated by red icon)
Telemetry-Tainted
7
Telemetry showing creation and write events for magnify.exe (tainted by a parent PowerShell alert, listed as Owner process)Telemetry-Tainted
7
Enriched event tree showing enrichment of magnify.exe overwrite with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe, tree is initially available unenriched to show the base telemetry)
Specific Behavior alert on overwrite of magnify.exe named \"Persistence-Accessibility Features\" tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactic (Persistence) (tainted by parent alerts on powershell.exe)
Specific Behavior
Telemetry-Tainted
Enrichment-Delayed-Tainted
76
Telemetry showing powershell.exe overwriting magnify.exe with cmd.exe via the copy command
Specific Behavior alert for the modification of an accessibility features binary known to be used for privilege escalation
Specific Behavior
Telemetry
Enrichment
85
Specific Behavior alert on overwrite of magnify.exe for Suspicious Accessibility Features Replacement (BACKDOOR) (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)
Excerpt from the Managed Defense Report indicating the attacker overwrote magnifier.exe (Specific Behavior)
Specific Behavior alert on overwrite of the magnify.exe for Accessibility Feature File Write (tagged with correct ATT&CK Technique, T1015 - Accessibility Features, and Tactic, Persistence)
Specific Behavior
Specific Behavior
Specific Behavior-Delayed
177
Telemetry showing a file modification event for Magnifier.exe
A General Behavior alert for powershell.exe altering the attributes of an executable file under the Windows system folder
Telemetry
General Behavior
40
Telemetry showing overwrite of magnify.exe
Binary metadata and reputation information showing magnify.exe is cmd.exe due to names observed and common hash
Specific Behavior alert on sticky keys binary hijack for persistence when magnify.exe was overwritten
Telemetry
Specific Behavior
70
Telemetry showing change in the hash of magnify.exe
Telemetry showing file write events overwriting magnify.exe in the system directory (tainted by a parent alert on cmd.exe)
Telemetry-Tainted
7
Magnify.exe hash matches cmd.exe (top two hashes in Tracking pane, file names and full hash values cut off)
Telemetry showing file write to magnify.exe in the system directory
Telemetry
10
Telemetry showing file copy and write events of cmd.exe to overwrite magnify.exe with matching hash values (tainted by prior lateral movement threat story; Group ID not shown in this view)Telemetry-Tainted
7
20.A.1magnifer.exe previously overwritten by cmd.exe launched through RDP connection made to Creeper (10.0.0.4)Three alerts (one Specific Behavior and two General Behavior alerts) from execution of magnify.exe showing red severity scores
Telemetry from process tree telemetry showing magnify.exe execution
Telemetry
Specific Behavior
General Behavior
General Behavior
130
Telemetry showing magnify.exe (tainted by the parent POS Interactive Login Event alert)Telemetry-Tainted
7
Email excerpt from the OverWatch team indicating they observed a Windows logon bypass (General Behavior)
File details of magnify.exe in Accessibility Features Specific Behavior alert identifying it as cmd.exe by hash and common name
Specific Behavior alert showing magnify.exe executing from utilman.exe (mapped to correct ATT&CK Technique, Accessibility Features, and Tactic, Persistence; pink indicates critical severity)
Specific Behavior
Telemetry
General Behavior-Delayed
97
Specific Behavior alert for magnify.exe, in process tree, masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)
Specific Behavior alert for magnify.exe masquerading as a Windows accessibility feature, mapped to the correct ATT&CK Tactic (Persistence) and Technique (Accessibility Features)
Specific Behavior
Telemetry
70
Specific Behavior alert on Windows File Name Mismatch showing magnify.exe was renamed from cmd.exe and tagged with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution)
Enrichment of magnify.exe with correct ATT&CK Technique (T1015 - Accessibility Features) and Tactics (Defense Evasion, Execution) (tainted by Windows File Name Mismatch alert, tree is initially available unenriched to show the base telemetry)
Specific Behavior
Telemetry-Tainted
Enrichment-Delayed-Tainted
76
Enrichment of utilman.exe executing magnify.exe with a tag indicating that magnify was a persistent backdoor
General Behavior alert for magnify.exe executing as a process with a renamed executable
Telemetry showing me magnify.exe executing from utilman.exe
Telemetry
General Behavior
Enrichment
55
General Behavior alert for RENAMED CMD.EXE
Excerpt from the Managed Defense Report indicating the attacker replaced the magnifier.exe accessibility feature to launch a privileged command shell (Specific Behavior)
Specific Behavior alert for Accessibility Features Child Process due to magnify.exe spawning whoami.exe (tagged with the correct ATT&CK Technique, T1015 - Accessibility Features, and Tactics, Persistence, Privilege Escalation)
Continued details for General Behavior alert for RENAMED CMD.EXE
General Behavior
Specific Behavior
Specific Behavior-Delayed
147
Telemetry showing magnify.exe (original name identified as cmd.exe) executing from utilman.exe (tainted by a trace detection on magnify.exe)
Specific Behavior alert for the command prompt tool executed by masquerading an accessibility tool. The alert was tagged with the correct ATT&CK Tactics (Persistence, Privilege Escalation) and Technique (Accessibility Features)
Telemetry-Tainted
Specific Behavior
67
Telemetry showing sequence of magnify.exe executing from utilman.exe
Specific Behavior alert on sticky keys binary hijack of magnify.exe
Telemetry
Specific Behavior
70
Telemetry showing magnify.exe executing from utilman.exeTelemetry
10
Telemetry showing magnify.exe executionTelemetry
10
Telemetry showing magnify.exe execution (identified as Windows Command Processor)Telemetry
10
TechniqueStepProceduresCarbonBlackCounterTackCrowdStrikeCybereasonEndgameF-SecureFireEyeMcAfeeMicrosoftPaloAltoNetworksRSASentinelOne
TOTAL SCORE2810117344672648297142405262291326013611775862